Authentication types-Describe security, compliance, privacy, and trust in Microsoft 365

The traditional means of authenticating a user’s identity is for the individual to supply an account name and a password. In Microsoft 365, administrators can create password policies that compel users to create long and complex passwords and change them frequently. However, passwords are always subject to potential weaknesses that make them an unwieldy authentication mechanism, including the following:

  • Users might struggle remembering long or complex passwords and write them down in unsecured locations.
  • Users might share their passwords with coworkers for the sake of convenience.
  • Users with dedicated accounts with elevated privileges might overuse their administrative passwords for everyday tasks.
  • Users might supply the same passwords for multiple services or resources, compounding the damage if a password on one server is compromised.
  • Users might be tricked into supplying their passwords by phishing or social engineering attacks.
  • Users’ identities might be compromised when their passwords are subjected to replay attacks, in which an intruder retransmits a captured password to gain access to a protected resource.
  • Users’ passwords might be compromised by malware that captures keystrokes and transmits them to an intruder.
  • Some users can be relentlessly clever in discovering ways to evade the password policies imposed on them.

Because human failings, rather than technological failings, cause some of the weaknesses of password-based authentication, strengthening user passwords is often an educational process. Administrators can devise policies to mitigate some password weaknesses, though urging users to abide by them can be difficult.

For example, a 20-character, randomly generated, administrator-assigned password would be extremely difficult for attackers to compromise, but it might be equally difficult to put down the outright insurrection that could result from the users forced to use them. Because of the complications inherent in using passwords, Microsoft 365 supports other types of authentication mechanisms that administrators can use instead of (or along with) passwords.

Windows Hello for Business is a desktop authentication mechanism that can replace passwords with a certificate or key-pair authentication using a PIN or a biometric credential, such as a fingerprint scan or an infrared facial recognition process. Microsoft Authenticator is a mobile device app that enables users to sign in to a Microsoft account using a combination of authentication mechanisms, including PINs, biometrics, and one-time-passcodes (OTPs).

Note Identity Protection

For more information on protecting identities, see “Describe how Microsoft 365 addresses the most common threats” later in this chapter.

Authentication types

If identities are the doors and windows in the enterprise network environment, authentications are the locks that keep them secure. An administrator can grant a specific user the permissions needed to access a file, an application, or a service, but this means nothing unless there is some way to ensure that the individual using those permissions is really the person to whom they were assigned. Authentication is how individuals actually prove their identities.

There are three basic means of authenticating an individual’s identity. The individual must supply one or more of the following:

  • Something you know A piece of information that only the individual possesses, such as a password or PIN
  • Something you are A characteristic that is unique to the individual, such as a fingerprint or a facial scan
  • Something you have A unique item that the individual possesses, such as an ID card or a smart phone

Leave a Reply

Your email address will not be published. Required fields are marked *

Search

Popular Posts

  • Summary-Describe security, compliance, privacy, and trust in Microsoft 365
    Summary-Describe security, compliance, privacy, and trust in Microsoft 365

    Thought experiment In this thought experiment, demonstrate your skills and knowledge of the topics covered in this chapter. You can find the answers to this thought experiment in the next section. Ralph is the Director of the Brooklyn datacenter at Contoso Corp. The company currently has three office buildings in the New York area with…

  • Anticipating threats-Describe security, compliance, privacy, and trust in Microsoft 365
    Anticipating threats-Describe security, compliance, privacy, and trust in Microsoft 365

    Arguably, the most difficult part of the risk management planning process is trying to anticipate all the possible threats that could afflict the company’s data in the future. The three basic risk factors for the data—confidentiality, integrity, and availability—can be exploited in any number of specific ways, but the general threat categories are listed in…

  • Classifying users-Describe security, compliance, privacy, and trust in Microsoft 365
    Classifying users-Describe security, compliance, privacy, and trust in Microsoft 365

    The third element of the digital estate that must be considered when creating a risk management plan is the people who actually access the data. Whether deliberately or inadvertently, users are a constant vulnerability—if not an actual threat—to the organization’s data. After quantifying the organization’s information assets and their value and inventorying the hardware used…

Tags

There’s no content to show here yet.