The traditional means of authenticating a user’s identity is for the individual to supply an account name and a password. In Microsoft 365, administrators can create password policies that compel users to create long and complex passwords and change them frequently. However, passwords are always subject to potential weaknesses that make them an unwieldy authentication mechanism, including the following:
- Users might struggle remembering long or complex passwords and write them down in unsecured locations.
- Users might share their passwords with coworkers for the sake of convenience.
- Users with dedicated accounts with elevated privileges might overuse their administrative passwords for everyday tasks.
- Users might supply the same passwords for multiple services or resources, compounding the damage if a password on one server is compromised.
- Users might be tricked into supplying their passwords by phishing or social engineering attacks.
- Users’ identities might be compromised when their passwords are subjected to replay attacks, in which an intruder retransmits a captured password to gain access to a protected resource.
- Users’ passwords might be compromised by malware that captures keystrokes and transmits them to an intruder.
- Some users can be relentlessly clever in discovering ways to evade the password policies imposed on them.
Because human failings, rather than technological failings, cause some of the weaknesses of password-based authentication, strengthening user passwords is often an educational process. Administrators can devise policies to mitigate some password weaknesses, though urging users to abide by them can be difficult.
For example, a 20-character, randomly generated, administrator-assigned password would be extremely difficult for attackers to compromise, but it might be equally difficult to put down the outright insurrection that could result from the users forced to use them. Because of the complications inherent in using passwords, Microsoft 365 supports other types of authentication mechanisms that administrators can use instead of (or along with) passwords.
Windows Hello for Business is a desktop authentication mechanism that can replace passwords with a certificate or key-pair authentication using a PIN or a biometric credential, such as a fingerprint scan or an infrared facial recognition process. Microsoft Authenticator is a mobile device app that enables users to sign in to a Microsoft account using a combination of authentication mechanisms, including PINs, biometrics, and one-time-passcodes (OTPs).
Note Identity Protection
For more information on protecting identities, see “Describe how Microsoft 365 addresses the most common threats” later in this chapter.
Authentication types
If identities are the doors and windows in the enterprise network environment, authentications are the locks that keep them secure. An administrator can grant a specific user the permissions needed to access a file, an application, or a service, but this means nothing unless there is some way to ensure that the individual using those permissions is really the person to whom they were assigned. Authentication is how individuals actually prove their identities.
There are three basic means of authenticating an individual’s identity. The individual must supply one or more of the following:
- Something you know A piece of information that only the individual possesses, such as a password or PIN
- Something you are A characteristic that is unique to the individual, such as a fingerprint or a facial scan
- Something you have A unique item that the individual possesses, such as an ID card or a smart phone
Leave a Reply