Security Sessions at Microsoft Ignite

   31 Jan 2018

Microsoft Ignite is a conference of own standards. In 2017 it took place at Orlando, Florida. Luckily the city had recovered from the hurricanes. Microsoft had rented a conference centre with three large buildings to have room for the 25,000 participants. From one end to another it was a fast 15-minute walk. You had to be tactical when planning sessions so you could make it between the different rooms.

MS Ignite

In 2017 a broad spectrum of sessions in for example AI, Mixed Reality and Microsoft 365 were presented. A track worth extra mention is probably in security. It was a mixture of everything from password to penetration testing, to firewall settings, but I will address something that is relevant for literally every company.

Password is something everyone knows, and almost everyone uses. Unfortunately, it is also a headache and vulnerable. It is not only databases that are leaked with passwords now and then, but you also must have the human factor in mind. Today passwords that are hard for humans to remember and easy for computers to guess are used which leads to reusing, typing down passwords, and often that they are unsecure as well.

Microsoft works to make this better in one way using Windows Hello, a system built on PKI and local authentication. In short this means that from a user perspective they log in to their computer using finger prints, facial recognition or a PIN. In the background the finger print is only stored locally on the computer. To log in on the network the finger print is used to unlock a key which then can be used to prove who you are for the network without sending sensitive data. This protects several attacks, and has the advantage that you can’t forget your finger print.

Another solution that was presented is UbiKey. It is a physical gadget that resembles an USB stick with one button. A series of data, which can be resembled to a very long password, is sent if you press the button. This can be used to give access in a fast way, the stick is used as a password. The example was a store with season workers needing access to the terminals in the store. Of course, this is also a risk if you don’t keep track of the stick. Anyone with the stick in their hand also has access to the system it unlocks.

The third approach was two factor authentication. This is not something new in Sweden, but it is nice that Microsoft tries to apply it in the rest of the world. Microsoft Authenticator App is an app that you connect your Microsoft account to. When you want to log in you will get a code to the app that you enter instead of a password. The strength here is that you can prove that you have a physical object that only you can have. The difference to UbiKey is that most of us use some kind of password on the mobile phone, but it is also a risk factor to lose your phone.

Microsoft Ignite is a conference that we try to attend, in 2018 it will also take place in Orlando in September

Cecilia Geijer