4 Tips on How to Move Your Microsoft Environment to Zero Trust

Unlock On-Demand Webinar

Video Transcript
Hi, everybody. It's time. So we're five past the hour. I think we've given many of you sufficient time to get logged in and ready to go. So since everybody was on time, let's get started more or less on time. So welcome to our one 1Kosmos webinar today for tips on how to move your Microsoft environment to Zero Trust. My name is Robert MacDonald. I am the VP of product marketing here at 1Kosmos. And with me, I have my good friend, Sheetal. Why don't you introduce yourself, Sheetal?

Hey everyone. My name is Sheetal. I'm the director of product management at 1Kosmos. I've been with 1Kosmos for the last year. Rob and me have been working together on a lot of exciting initiatives here at 1Kosmos. And we are here to tell you a little bit about that.

Yeah. Yeah. So we're going to go through some videos, some demos. We recorded them all because we didn't want anything weird to happen with internet. I don't know if you're aware, but here in Canada, which is where I'm based, the internet went out was last week, the week before last across the country, if you were with a particular provider. So we wanted to make sure nothing weird like that was going to get in our way. So let's jump in. So a quick agenda for today, the title explains it all, but to meet Zero Trust guidelines in your Microsoft environment, there's a couple of things you need to look at. Now, this isn't an exhaustive list by any stretch, but we want to highlight a couple of key areas that 1Kosmos can certainly help you with.

The first thing is securing Windows servers, virtual desktops, domain controllers, things along those lines. Those are probably some of your most secure required assets that you have within the organization. So making sure those are secure. Provide secure access to Linux. Unix and Mac operating systems. So things that fall outside of that typical Windows environment. Eliminate passwords when users transition to new hardware. So that trust on first use thing, especially if you're using a Windows hello for business or using that technology, that becomes a bit of an issue. Secure previous versions of Windows and unsupported hardware if you are using Windows hello for business. And then as a bonus, we're going to cover how to secure third-party contractor access, which opens up a whole host of issues. And there's a reason why I added that in. There was a recent posting from the FBI.

We're going to talk about that in a little bit, but that's a bonus one because that one is interesting. So before we get started, I'm going to flip things around. Normally we talk about who 1Kosmos is, at the end, we'll talk about all the problems and all the pain points, and then talk about what 1Kosmos can do. Today we're going to start with what 1Kosmos can do, because I think that's going to enable you to understand what we're showing and what we're doing as we're going through some of the demos that Sheetal's going to run through. So looking at that, we're an organization that delivers passwordless multifactor authentication with verified identity. Now, when you look at identity and access management, there's two sides of identity, there's the proofing of the identity.

So getting the identity into the system, and then there's the authentication of that identity as it flows through the ecosystem. So when you look at the first side of that, trying to prove who your employees and customers are, what that does is it establishes identity. And what we do is help you establish that identity so that you can remotely proof someone. So since COVID, as we all know, I mean, everybody's tired of hearing about COVID, but we had to move to this online first environment. So when you hired new people, you had to do that remotely, where in a lot of cases, maybe they come in and meet with HR and give you their documents so you could do the background checks and all that kind of stuff.

So what we do is we enable you to do that in a virtual environment. So you can do that online. We will take two forms of identification and we will match that identification and leverage that identification to real biometrics. So we'll take a picture or we'll scan the driver's license passport, we'll compare the information on those documents, we'll even do AMVA checks here in the United States against the driver's license to make sure the number's right, the birthday's right, the address is right, the name is right, all those things match. And then we'll capture a live selfie. We'll get the user to smile and blink to make sure that they're real, and we'll compare the image that we capture off of those documents with the live selfie that we just captured to see if there's a match.

So again, we're trying to ensure that user is who they claim to be. Moving on from that, when you want to grant somebody access, you need to make sure that they have access and it's only them, right? So it's not somebody else acting as them, which is typically how we get into trouble anyway. So an account is compromised. You know, somebody had their credentials phished, or it's a third-party contractor and they gave the job to somebody else to do, even though they were the ones that were hired. So how do you mitigate that risk? Well, you do that through enforcing the right level of authentication, and you need to do that again remotely. So you've never seen the person, you don't know if they are who they claim to be. But what we do is we authenticate that user and then we generate a private key and that key is given to that user.

And then again, it's matched to real biometrics to unlock what that key has access to. So when we do that, only the user that has that real biometric with that key has access to that authentication capability. So those are two separate streams, and there are many organizations that do one or the other. The difference with 1Kosmos is that we bring both of those together and we're going to show what that looks like here in a second, but we take the identity proofing and we combine it with the authentication component. So we bind the user to the account. And we're certified by Kantara and Fido. So IAL, so identity assurance levels two, and authentication assurance levels, AAL level two certified. So that identity based authentication where we take the verified user and combining that with the account and using that biometric as the authentication method is the identity based authentication that we deliver.

And that's that biometric is certified by iBeta. It's a pad two certification, which is pretty significant. So the entire ecosystem, the entire platform that we deliver to you is a certified platform that enables you to generate identity assurance level to identities with authentication assurance level to authentication, which delivers that identity based authentication and is certified biometric. So what that does and what our advantage is over any other organization, any other authentication organization out there, is that every access request is tied to a verified identity because of what you did at the very beginning, from the onboarding position. So for every access request, we do a multifactor authentication. So you have to get into your phone, you then have to get into our application, and then you have to do the live ID, which is a technology that we have that compares the live selfie at enrollment, with the live selfie that we've just taken at the time of authentication, we compare the two of those, and if they match, then we grant access to the user.

So there're multiple levels of authentication that are taking place there in one authentication step. And it's all seamless to the user. And we're using a platform that users are used to using. So taking a selfie with their camera, everybody on their mobile device, pretty much everybody knows how to do that. Everybody does that. So that's more or less what we're doing. So we're doing it in a way that end users are used to doing so the user experience is quite positive. And it works for both physical and logical access requests. So the difference here is that your app, computer, or mobile is the wallet, and the user is the actual authentication method. So we're using their biometric as the authenticator. And thankfully, there's only one me, right?

The world can't handle more of this, right? So the authentication method, when I use my live ID, only I can do that. My wife can't do that. My daughters can't do that. Nobody else can do that. Only I look like I do. So that's the benefit that we bring to the authentication capabilities and where we come in from a Zero Trust authenticator. So we have a demo. So what I wanted to do here or what we wanted to do here, Sheetal and I, is show you how it works, and what we're doing in this demo is we're doing it with an existing employee. So we're not going to go through all the document scanning yet, we're going to do that in a little bit. So this is if you have an existing employee and you're just going to invite them in. So, Sheetal, are you ready to go?

Yes, if you want to go ahead, we can.

I'm going to hit the play button. Here we go. I think it's playing. Yes, there we go. Yeah.

So this is a quick demonstration of how a user is trying to get into a system, right? So let's assume that you are the administrator, you're looking for a particular user within that active directory and environment, right? Once you find that particular user, you're going to try and make sure that they're invited, they have an invite on their hands. And then once they do get the invitation, they are able to register with that invite that they have received. Right? If you want to pause there for a quick second. So we do make sure that when they receive the invite, they're entered, right, we make sure that we have their touch ID and face ID available. We make sure that their biometrics are enabled. And then at that point, we also know that they're in possession of that particular authenticator. And they're set up to begin accessing any of the infrastructure within that particular enterprise. If you want to go ahead and play, Rob.

So what you're seeing here is a list of all invites that have been sent to the user. So you have absolute transparency, right? How many invitations have gone out of the user if they haven't really acted on that particular invite, then you're able to re-invite them. So you will see here that the email invitation has gone out to the user. They have an email that is sitting within their inbox, and this particular email invitation has a magic link or a unique code that the user is using to get access. Right? So they're going to go ahead and open that particular email from the Block ID mobile app. Now this brings in another question, right? How do you make sure that we add in another layer of security here? So anybody can go ahead and forward that email invitation to another person. So we want to make sure that doesn't happen. So we do ask for another factor, which is we ask them to do an OTP based verification, which is being sent to an SMS or email that is already registered with the enterprise.

Go ahead, Rob. And at this point, if you have access to your registered corporate address, you're going to have that OTP and you're going to enter that. And at that point, your account has been successfully registered, right? So just adding in another layer to make sure that there is no compromise of that particular invite that was sent to a user. Okay. In this particular case, what's really happening is that they have been onboarded. We consider this particular user onboarded with their sufficient accesses. While they're being onboarded, what happens is in the background, we are also making sure that this particular user is set up for access to log into a workstation, right? So we have implicit processes, absolutely nothing that the user has to see, which we generate smart card certificates that help us log into a Windows workstation. So behind-the-scenes with absolutely no interruption to the user, we generate those certificates and then make sure that the user, next time they pick up their authenticator, if they see a QR code on their workstation, they're able to go ahead, scan that particular QR code, and they're logged into their workstation, right?

So making sure that any active directory user or anybody who's login into their Windows workstation is able to log in with their authenticator. And as you can see, the user experience is fairly simple, right? You receive an invite, you onboard yourself securely with either your active directory potentials or through an SMS email OTP. And then the next time you are presented with that QR code on your machine, you are able to log in.

So this is a locked workstation. We're going to unlock it here.

So we have two scenarios. One is when you are rebooting a system, you're bringing it on. The other scenario is when you're unlocking it, right? That went by really fast, Rob, if you want to go there a couple of 10 seconds, this happened to us the whole time I was okay. Right there. So what happens is in this particular scenario, the user was trying to unlock their workstation, right? Unlocking the workstation. We wanted to be fairly quick. They've already authenticated ones for the day. When they unlock, what happens is automatically the user receives a push notification which is on their authenticator, right? Now, if I have an Apple watch, then I also receive that notification on my Apple watch and I'm able to hit approve, and I'm logged in, right? So very seamless, no passwords anywhere, the user is into their workstation without a password, just with a hit of a button. Right?

Okay. Okay.

So now we have another quick demo. Now let's assume that you are in a workforce and you are potential employees where you are making sure that they have a higher level of risk posture, meaning a contractor or somebody who's accessing sensitive information within your infrastructure, right? Now, how can you make this process of logging into your workstation a little bit more upping that security level? Here what you're seeing is this particular employee has already been onboarded, but this QR code is saying that, hey, we need your real biometrics to perform a login. We need to make sure that your face matches with the person who is onboarded on day zero. Right? So if you want to play, Rob.

So this time, let's assume that on day one, the user is going to go ahead and enroll their live ID. At this point, we're making sure we're capturing enough gestures, enough biometric information about the user, which we refer to as live ID. And this enrollment is successful, right? None of this biometric information leaves your device. It always lives on your device. And that's absolutely important to remember, right? So now your live ID enrollment is successful. Let's imagine day 10, day 20 of your employment, and you are being prompted to log in again. Now, assuming that this person has a higher risk posture or potential sensitive information that they are accessing, we can make sure that you are prompted again to log in with a live ID, right? So at this point you can see Mike Angle, he's being prompted to log in with live ID.

Behind the scenes what we're doing is we are comparing to make sure that the current live ID that is being presented matches with the previous biometric that was enrolled. And if there is a good match, then you are logged into your work station or to any of the web apps that you need access to. Yep. And there you are, as a workforce person, these are list of applications that you have access to. Let's assume these are all sensitive. We know for a fact that this contractor or this person is duly deserves the access that they're being requested.

This is signing in to Okta, I believe now.

Yep. And all passwordless. So we already know that Mike is in possession of his authenticator, and we have already validated the private key. We've matched it with a biometric. So we know that Mike is who he says he is. And now when he is requesting access to applications that have already been set up for single sign on, it's seamless, right? Okta, Ping, anything that you need, there is just information that's being presented and you are just logged in. Right? So what this particular scenario also shows you what a web login looks like. Now, if you haven't really performed any authentication previously, you are presented with QR codes, another form of multifactor authentication, as Rob mentioned, right? It's two things. One is the private key from your mobile phone is being shared as the actual credential. And also, if you just saw there was a quick second where you saw the face ID over there, really fast, we're making sure that there is a biometric. And once you have both of these pieces of information from a previously enrolled authenticator, you get access to a single sign on application that is in your environment.

Great. So hopefully, everybody understands what we're doing there. And that will provide the context for what we're going to talk about for the rest of the session. So we did identity verification. We then tied that identity verification to the account. And then depending upon the risk, we then stepped it up to do an IAL level two authentication, which was the live ID, maybe for other things, touch ID, face IDs. Good enough, because the risk profile's a little bit lower, but again, it's all about using the user's biometric as the authentication platform or method into all of these systems. And we're going to talk a little bit more about that as we go through here. So let's talk a little bit about Zero Trust and then we'll get into the actual meat of the presentation today.

So I think a lot of you are either investigating or looking or have heard of or are in the process of doing something Zero Trust related. It's the way in which the market and industry, and a lot of you are deploying or developing or where you're moving your infrastructure to. So if you look at what Zero Trust is, it's really about ensuring that the user is who they claim to be. So trust nothing, verify everything kind of thing. Right? So that security paradigm, that replaces that implicit trust that we used to have, right? So we did an username, password, and a multifactor authentication. If you had all those things, we knew who you were and away you go. But we all know now that with hackers are upping the game, right?

They're looking for ways to circumvent the system. And MFA is one of those targets. So you want to continually assess that contextual trust as you're implementing your Zero Trust environment. Now, there is a Zero Trust framework out there. This is our interpretation of that. There are six pillars, there's identity devices, network, apps, and APIs infrastructure, and data. We've flipped that a little bit to look at identity as a foundational element to Zero Trust. And the reason why I like to look at it that way is because the more you know about your identities, the better all of the other pillars will actually work. So if you can do a really good job at learning and understanding and authenticating your identities properly, then the rest of the platform is going to work a little bit better, which is where I get into with this slide.

So the critical premise of Zero Trust, like I said earlier, is to never trust, always verify, and that the users will receive minimal access, nothing more, nothing less. So it's an extension of the concept of least privilege, right? It's kind of the evolution of that. So you want to make sure that users only have access what they should have access. So we all know, we heard about Target, what happened with the HVAC contractor, they had too many access rights, lost the credential, and then they ended up having access to customer data somehow. And that's how that breach happened. So they didn't receive the minimal access that they needed to do their job and that's how that breach happened. But, like I said earlier, knowing which identity is present and the rights associated with it enables those other pillars that I mentioned on the previous slide to work better.

You know about the device as you know who's traversing or transitioning through the network, that you know when they're trying to access apps or things like that user should or shouldn't be doing that. The infrastructure, the data, who has access to the data, all that stuff becomes a lot easier to do because you know more about the identity. So if you've got a big bad soft system set up and you're trying to spot anomalies. Well, if you can reduce some of that noise because you know more about the identity, then that platform makes you more efficient, not being able to catch the bad guys. And that's what we're saying here. So when you look at the identity part, it's really all about you, right? In our perspective, the way we look at it. We put identity at the center and we use the identity of that individual as the authenticator. So when you look at it from a Zero Trust authentication capability and what it outlines, it gets into proof of identity and delivering advanced biometrics. We already talked to you about that and how that works.

That's what we deliver. And that's why we have a certified Zero Trust authentication platform to some degree, right? So if you want to get people access into governance platforms or single sign on, or privilege access, or different operating systems or remote access, or anything along those lines, we can do that with a very high level of assurance depending upon your risk profile, which is great. All right. But the big thing is, and what I can't stress enough, and I think we all know this, is that Zero Trust, 1Kosmos can't solve your Zero Trust needs. We're certainly a big step in that direction, but there's six pillars. And you need to look at all of those pillars and figure out how you can adjust what you're doing to meet those Zero Trust requirements.

You know, it can't be done with one product. If you're talking to a vendor and like, oh, we can solve your user trust problem, that's a lie. They can help, but it can't be done in six months or less. You know, it's not one product, it's a journey and it's a multi-year, multi-layered journey to get you to that end goal. All right. So now that we've captured the tooth we talked about and here's what 1Kosmos does. This is Zero Trust and how 1Kosmos fits in. Let's get in and talk about the four areas in which we can help you meet as Zero Trust infrastructure, Zero Trust requirements in a Windows based environment. So the first thing that we want to talk about is securing Windows servers, virtual desktops, and domain controllers.

So Sheetal talked when we were going through the capabilities when 1Kosmos that sometimes there's higher risk areas that you want to make sure that you might want to use live ID for, right? To have that highest level of assurance that user is who they claim to be. These are prime examples of that. You know, when you get into some of these environments, like a Window server or a virtual desktop or a controller, sometimes you're tunneling into those, and because you're tunneling in, you're logging into a different system altogether, and in some cases, traditional login capabilities don't work in that sense, or don't work the way you need them to. So that's where we can in really help out with our 502 authenticator app, right? Logging in with the QR code, using the biometric to get users into those environments.

That's what we're talking about there. And giving them a user experience that's next to none, and up-leveling your security at the same time. Usually those things don't balance, right? If you give a user a really good experience, security usually suffers as a net result, but we're doing both here, which is unique. And the reason why we want to go down that road and talk about that is looking at improving number two and number four in that list as well. And we're going to show you some demos here in a minute. But you want to provide the secure access to Linux, Unix, and Mac operating systems, because Windows environments are never always 100% Windows. There are other fringe systems. And that's what this chart here to see what we're showing here in that the mobile and desktop operating system market share, right?

You can see that Windows is on a decline, it's still 75% of the market, but there are other systems in your environment that you need to secure. And if you're using a Windows hello for business, as an example, it works great on compatible hardware. But for those ones that it doesn't work with, or like if somebody has a Mac or somebody's using a Linux system, well, then you need something to cover that stuff too. And that's where we can certainly help with that. And then even if you look at the different types of Windows of operating systems, a good chunk of it is Windows 10, but there's still legacy operating systems out there that you need to secure. And you need a platform that works across the multitude, all of those things. And again, that's where we can come in and help because we can work with all of those platforms quickly and easily, just as we showed at the very beginning when we were logging into a Windows workstation.

So from a user journey perspective, Sheetal showed that at the top of the presentation here. But like we said, the user gets an invite with a link. And depending upon where you are in the journey, maybe they've been with you a long time, we're going assume trust based on the fact that they've been with the organization for a long time, they'll enter in their username and password once and then that will bind them to the account, and then we'll take care of the passwords from then on in. The user will log in and then they will never authenticate with the username password ever again. So that's how easy it is to transition your existing user base into our platform as an example. And it doesn't take long.

I know that the demo that we showed was five, six, seven minutes, five, four or five minutes. It legitimately doesn't take that long. It's you click the magic link and it binds you and you're home free. So you're up and running really quick. So Sheetal, why don't we show logging into desktops? That's one of the biggest requests that we get when we go and talk to customers is like, okay, that's great. You know, MFA, all that kind of stuff, but I'm already into the system at that point. How do I generate this right from the get-go? How do I do it at login? So I think this one is the Windows one. The Mac one with my name spelled wrong, that's this one, right?

Yes. That's fine. Yeah.

All right. So let's take a quick look at that.

Okay. So this particular video, what we're really looking at is how Rob were saying, there's more than Windows in the picture now enterprises have Mac's and different things. So this is our support for Mac. Right now, this particular user what's happening in the background is they already have their authenticators set up and then they are on their particular workstation. They do have block ID software that is going to make sure that their workstation is protected or has already gone past for less, right? At this point what's happening is we can make sure that once the username is provided, we are able to just log in with a push notification, right? So the user provided the username, and then they're going to hit login with block ID. At which point, Rob does get a notification on the registered authenticator and he hits accept. And when you do, you are logged in, right?

So that's the authentication request there. If you want to pause there really quick, Rob. Just a few seconds ago. Yeah. So that's the authentication request. So you hit the button log in with block ID, you receive a push notification and you hit approve. Right? And once you do, you are into your workstation, right? So this is when the user is... Did you skip a head, Rob? Yeah, there we are. Okay. So this is typically an online scenario, right? The entire workstation piece that we have here, it is quite configurable depending upon the needs of your enterprise. Right? So if you want to make sure that users still using the password, we're able to support that. We are able to support scenarios where they are logging in within OTP, right? The trusted OTP that you see within your authenticator app.

They're also able to use that. So different modes of login just to make sure that the user has that breadth of being able to log in online. And should I also mention offline because they are able to log in, even if they're offline. So I'm ready to move on to the next one. Okay. So here's another demo. I think we already touched on this a little bit, right? So the significance when we say real biometrics, right? So there's always the face ID that in most of our interactions today, we're using a face ID, making sure that there's a good match with what's already registered with the iPhone. But what 1Kosmos does is we use something called as live ID and where we're capturing real biometrics, right? Is this person here is this a live person? Is there true depth to this particular person? We are checking for a passive liveness of the user.

So once all of this information is available, we know that there is a certain amount of lightness associated with this particular user. We know we've captured a biometric of this user. Everything, of course, remains on the device. Nothing is leaving the device. But what you're really able to do here is that any time somebody's logged into a workstation, you are able to make that comparison between the live biometric of the user that is being used today, which is day 10 of the employee, versus the biometric that was enrolled on day zero of the employee. So definitely for any time you need privileged access. So you're giving them access to really secure parts of your infrastructure. Live ID would be a great option to up the risk posture in these kind of scenarios. So the video here shows how a user is being prompted to provide their live ID during login to a work station, right? If you were to go ahead and play Rob. So that's Mike there.

And, of course, there is a difference between when you're first logging into your system versus an unlock scenario, right? During unlock, we want to make sure that it's really quick. So at that point, the user automatically receives a push notification. They hit approve and they're logged in, right? So really quick and easy. We want to make sure that the employees are on their way and getting to things that they need to get to. And because this is right at the start of the day, user experience continues to remain a big motivator for us, right? To make sure that you're into your system as quickly as possible and you're being stepped up if there's a higher risk posture. Okay, good. So that's our Mac story. Did you mute yourself Rob? You're on mute. Okay. So I'm going to talk on until Rob's able to unmute. So this particular scenario we're talking about offline. Oh, you're back.

So the button's gone. I don't know where it went. Anyway, sorry. So this is offline access, sorry.

Offline access. Yes, absolutely offline access. Right? So now let's assume you're on a plane, you're traveling somewhere. You don't have access. Your computer is not connected to the internet. This is an absolute number one question from all our customers. So how do you expect employees to log in passwordless in offline scenarios? So what happens is during enrollment during first login, when a user is online, we make sure that there are efficient processes in place that provides you with an offline passcode, right. Which is what you see here in the authenticator app. So anytime your users are offline, we have a little OTP code, which we refer to as the workstation offline OTP, which can be entered by the user into their workstation to log in, right? In this particular scenario, you will see that the workstation is able to detect that you are offline and will automatically prompt you to make sure that you're only entering the workstation or OTP and nothing else. And once you do, you are logged into your system, right? So that is a quick demo there.

And this is the Windows, just so people don't think it's only on the Mac. This is the exact same thing only from a Windows perspective.

Yep. And this is the exact same thing.

And here we're just showing everything's going offline. So yeah, go ahead. Sorry.

Yep. The same thing here. So we're just making sure that everything is offline at this point, just to make sure that we're approving, that's a quick look at our block ID authenticator provider. There are many configuration options that can be controlled by the enterprise to make sure that every employee who's logging in, they're following the same processes. Right? Do you want to enable offline OTP? Do you want to enable online OTP? Do you want to make sure they're entering their password at all times? So those kind of configuration options are available at the credential provider level. But most importantly, this video is about offline login, right? What happens when a user is offline? They are able to log in with the passcode that is being provided. As you can see, this is again, the workstation OTP, offline OTP. They go ahead and enter that and they are logged in. Right? So making sure that we have good coverage when the user is online, but also when they are offline.

Yeah. It's super cool. And like you said, the workstation login and the offline login are two of the biggest questions that we get when we get out and talk to customers, because up to now, everything is too good to be true. It's like, oh, well can you do these things? It's like, yeah, we can do those two. But this is, this is absolutely one that we get asked for all the time. And then just moving on that, the other thing was eliminating passwords as users transition to new hardware, that trust on first use issue. If you are a Windows hello for business house, then you know that the Fido authentication that Windows hello for business provides is tied to the device, which is why logging into remote desktops and things like that doesn't work.

So as you transition to new hardware, you also have to remember what the old password was. So that's an issue. The other thing is that there are also going to be areas within the environment that maybe can't sit behind a passwordless environment and they have to use username and passwords because you know that you can do a little bit more from a security standpoint to make sure you're monitoring them, but it's still important to be able to reset passwords if they're needed and deliver something to users that's easy to do and that you can change a password pretty quickly, pretty easily, and not have to be in the environment to do it. Because that's another issue with some of the password reset capabilities, self-service password reset capabilities because that you have to be inside the firewall to be able to do it. And if you can't connect, well, then you can't do that. So then that's a call to your help desk. And that costs money. There're all kinds of things to go along with that.

So being able to deliver that in an environment where none of those things that it's not predicated on any of those things is important. So I think this one is just quickly a password reset. This is a quick video on that. I don't know if you want to talk through that at all Sheetal.


It's pretty straightforward.

So yeah, pretty straightforward. But working in large companies, I've always had my ID help desk on speed dial anytime I've lost access. So this is really preventing that, right? Just making sure that you don't have to make that call to your help desk eliminating costs there simplifying that process. So you've onboarded yourself to an authenticator. You are in possession of that authenticator. So now why can't you use the same setup to reset your password? Right? So what kind of controls can we put in place when we're doing a password reset? So what's happening here in this video is the user is making sure that it is selecting the account and in this particular case, it is an 80 account. They are being prompted to enter their new password, confirm their password, and then password research was successful, right?

It's as simple as that, but what are we really checking on the background, right? The user isn't possession of the authenticator, which means that their private case still being presented, as well as there was a biometric that was being requested. So there was a face ID, live ID, that was part of the equation right in the first 10 seconds, if you'd seen it. So we're making sure that there is a good biometric match. The user is in possession of the authenticator. And once they do, we are able to make sure that a password reset is successful. Of course, in the background, we want to make sure that directory has sufficient permissions to make sure that it allows for password resets. So if your directory allows for password resets, we are able to facilitate the entire password reset from your authenticator. So no calls to help desk, just making it quick and simple, of course, helping the employee get back to work as quickly as they need to.

Yeah. And you know what? We're going to shift gears here for just a quick second. I want to make sure that everybody's still with us. So we have some polling questions that we had for today that I meant to do a couple slides ago and I completely forgot about it because I got excited about what we were showing Sheetal. So let's fire up the first polling question and this one is about Windows hello for business. We're just curious, have you implemented, or are you planning on implementing Windows hello for business anytime in the near future? It's a yes or no question. It's pretty straightforward. So let's go ahead and get everybody to click on one of those and let's see what happens. Sheetal, what's your guess? Is that more yeses or more nos?

I think just being on the field and talking to many of our customers, we're seeing many of them get there, right? Using Windows hello for business, especially because it prompts you for a biometric. A lot of the devices that we're using are beginning to be more biometric compatible. So we have the results here, Rob.

Yeah, we do. So 72% of you said no and 28% of you said yes. So that's very interesting. So for those of you that have a lot of the stuff that we have talked about today can be used in conjunction with what you're doing with Windows hello for business deployment. So rest assured, that we don't need to come in and replace your deployment, but we can certainly augment what you've already been doing with Windows hello. I think we have like five poles. As we move on to the next slide why don't we do another one? Just for fun. And this gets into how do you remotely authenticate someone in your organization today? It's a single choice. You have to pick one, maybe whatever you're doing most of, but you doing a multifactor, you're doing just a single factor.

Are you using private keys? Which again, falls into the multifactor single factor. Are you doing real biometrics like what we deliver? Which again, can fall into one of those categories or is there something else that you're doing all altogether? Maybe you're not doing anything, which we don't recommend. You should be doing something, even if it's not with us. But yeah. All right. So while that's happening, let me move on to the next slide here. And oh, hang on. The polls are in the way, sorry. So MFA is 52%. Tido 43% nothing through a private key. Interesting enough. And there are some people using real biometrics. So that's interesting as well. Must be some of the one cause most employees that we have on here today.

All right, so we want to do a quick bonus and by the way, the other thing I forgot to mention as well, very bad host today. It's my first 1Kosmos presentation. So I was excited getting into it. Normally, if you guys have been with us doing these webinars, it's usually Mike Engel who you've seen his face do a lot of the face IDs here today, but they upgraded today, Sheetal, and they went with us, right? So third-party contractors are something that a lot of organizations that we talk to deal struggle with. They bring in third-party contractors to do whatever, right? It can be a multitude of different things, but at the end of the day, I don't want to say they're an afterthought, but they typically don't go through the rigor of a regular employee when they get hired or if they do, because they're not normally inside the building, maybe they're doing it remotely anyway.

You never know if it's them. So what we're seeing is that there's a lot of fraud happening in that regard. And I'm going to talk about that here in a second, but the way in which you get around the fraud that's taking place with that is you want to get that cryptographic proof of identity, which we deliver. Right? So we talked about, that's what we've been talking about all along here. And then that'll get them access into whatever they have access to. And because you're doing Zero Trust, they're going to have access to nothing more, nothing less, than they need. And then that cryptographic proof of identity that you deliver back to that third-party contractor ensures that it's them. It's always them. So with Zero Trust in mind, we always have to answer well, who is it? Do we know with a high level assurance that user is who they claim to be?

And with our cryptographic proof of identity, we're able to provide that to even third-party contractors. And when I move to the next slide here, you can find this, you can Google, it's out there. But the FBI has released a statement, or a warning around deep fakes and stolen personal PII data, personal identifying information to apply for remote work positions. So I'm not quite sure how, I'm not a criminal so I don't think that way, but it's happening. Right? And you have to be aware of it. And you have to make sure that you have ways to address it. And a lot of the tech, all the technology that we talked about here today from 1Kosmos will most concern may help you with that. And by the way, if you do have questions, there is a Q&A panel in your UI for Zoom.

So if you want to type in questions, we have people standing by. They're not actually standing behind me because I'm working from home. But you know what I mean. They're online, willing and able to answer your questions. Sheetal we have nine minutes and I think this next video is a long one. So we'll have to jump through it a little bit, but what we want to show is onboarding a third-party contractor and maybe we don't get into the authentication bit. Maybe we just do early on. Oh, it's only 57 minutes. So I guess we're okay. It's only a minute, but go ahead.

Go ahead. Yeah. So I think as Rob was talking about initially, it is about making sure we have that strong identity right up front. During onboarding, making sure that people are who they say they are. And if there is a third-party contractor who is being onboarded, of course, the first step that they're going to do is download the block ID mobile app. They're going to set up their wallet there. They're going to make sure that they go through identity proving, which is making sure that you have government issued documents, which is like a driver's license or an SSN passport, either one of these, when you have all of this information and all of this sensitive PII is actually in your smartphone within the block ID mobile app, which only you have access to because the private key is stored in secure enclave. So that is where all of the data's are.

Now, let's assume in this particular scenario, the contractor comes on board, they are being first prompted with a QR code, which is asking to make sure that you're a live person. We're making sure that your live ID or biometric is enrolled. I mean, that process, we're also making sure that there is a good match between the biometric that was presented in live ID, as well as the documents that were requested. Right? So there's a certain triangulation that we're using there. But once that match is done, you know that this user is at IL level two. And how do we know that? Because we have government issue documents, we also have their biometric match and they've completed that step. The next step is we have gone ahead and all employees have an employee onboarding form. All of the information that is being presented here is prefilled from government issued documents.

And once you do, you're going to go ahead with some verification processes, if you want to go ahead and play it, Rob. You also put in your employee email address at which point this is to go through your HR onboarding processes. So you go ahead and put in your information, your username, and of course, we can set up processes where you're able to contact HR. So there is some amount of you have an HR person who's approving the onboarding request after reviewing all of these documents. You can be assured that the proofing that's happening through the app is much more food proof, right? Because we are using all of these APIs in the backend that give us a high degree of assurance to the document that being scanned. And once they've done that, and HR has approved your onboarding request, they are onboarded, meaning that we can set up an account for that particular employee based on real identity documents that were presented.

So completely remote following the nest of guidelines on digital identity. And once they do, we are able to set them up with access to their applications within the infrastructure, right? So you do receive an invitation where you go ahead and click the link and you are set up. So on day one of the employee, we've made sure that they are approved, valid identity. We have made sure that they have gone passwordless on day one and they have access to the authenticator and they're able to single sign on into applications that they require access to.

Yeah, it's cool. So that's that step before what we showed at the very top of the presentation. So that's the identity proofing side of it. Now we didn't show the actual documents, because we don't want to obviously give you my driver's license or passport numbers even though they are Canadian, we don't want to do that. But what we didn't show there is the actual scanning of the document, but you could see that we had captured it in the UI there and then that was sent to HR. But yeah, that's cool. All right. So Sheetal, we're almost done. Before we wrap up, I just wanted to let everybody know that we do have another webcast webinar. I get in trouble when I say webcast, a webinar every month. Next month, Mike Engel looks to be back and we're going to talk about how to protect your single sign on from vendor and contractor compromise.

So a deeper dive into what we just finished with, especially after the last breach that happened. That's going to be on August 18th. If you go to our website, you can register for that right now. The other thing I want to draw your attention to is IBA Fridays. So we were supposed to have one last week, we had some technical difficulties, so it didn't quite get off the ground. Our apologies if you were there, but Javed and I, we all, Sheetal and I and Javed all work together. He and I jump on and do just a 10 minute, I don't know. I don't even know what you want to call it. It's like two frat... Nah, it's not frat boys. That's not the right way to put it, but we tend to have fun and talk about the technology that we're delivering in a very casual way.

It's not very formalized. It's on LinkedIn. It's just a LinkedIn live. So if you subscribe to our LinkedIn channel, you'll get notified when we're having an IBA Friday. It has IBA Friday. It's beer time for me when we do that, but it's not for Javed. So we don't actually have beer, but that's why we went with IBA, identity based authentication. All right, so just a quick recap. If we look at the agenda, we talked about securing Windows servers virtual desktops. We talked about providing secure access to desktops outside of Windows and including Windows. I talked about how to eliminate passwords from transitioning new hardware. We talked about securing previous versions of Windows and unsupported hardware for Windows hello for business. And then as the bonus, the secure through party contractor access, which we're going to do a deeper dive in next month.

So on that note, we've got about three or four minutes left. I think it's time. If we haven't answered all the questions through the chat window to take some questions. So, Sheetal, I don't know if you have access to the Q&A panel. I know that I don't, because I don't have access to my mute button or any of those things anymore. So I don't know if you can see it or maybe we might have already answered them all, which would be great.

I don't see the questions either.

Oh, very good. That's okay. We don't have to see them. We can always follow up. If we haven't answered your question, we will reach out directly and answer to you via email. So don't worry if we haven't answered your question, we will get to you if we haven't. But on that note, I do want to thank you for taking the time today and coming and listening to Sheetal and I talk to you a little bit about how to secure your Windows environment from a Zero Trust perspective. And we appreciate you listening and joining, and we hope to see you again on another webcast in the very near future. Thanks, everybody.

Thank you.
Robert McDonald
Robert MacDonald
VP of Product Marketing
Sheetal Elangovan
Sheetal Elangovan
Product Manager

During the session we looked at how to improve the security of a WHfB passwordless environment. Robert and Sheetal discussed how to:

  • Secure virtual desktops and domain controllers
  • Access Linux, Unix and Mac Operating systems
  • Eliminate passwords when users transition to new hardware
  • Secure previous versions of Windows and WHfB unsupported hardware

Windows Hello for Business provides users passwordless access to Windows 10 and higher with supporting hardware. This is a step forward for passwordless, but leaves critical systems such as Office365 and Domain Controllers exposed to risks from unverified trust. 1Kosmos BlockID prebuilt integration with Azure AD closes this gap with passwordless MFA that proves user identity with real biometrics for each access request.