Office 365 with Strong Authentication

January 26, 2017

 

In recent years, Office 365 has become one of the leading cloud-based business applications. In fact, recent numbers show there are over 60 million commercial users of Office 365 and Microsoft are adding roughly 50,000 small businesses to the offering each month[1]. With this high adoption, it is no wonder why it has become one of the most requested applications for Single Sign-On (SSO), edging out the predominate SaaS offering, Salesforce.

This high adoption presents a difficult challenge to application owners and InfoSec managing Office 365, leaving them to ponder…..How do I make Office 365 access easy, convenient, and secure?

The SecureAuth Short List:

  • Federation Support for Office 365 from all client types (mobile, thick app, browsers)
  • Strong Authentication with over 25+ different multi-factor authentication options
  • Adaptive Authentication (context based authentication) that only challenges users when risk detected
  • Flexible authentication workflows for different users and groups of users
  • Ease of management for IT
  • Interoperability with other technology investments

The SecureAuth Long List:

Ease of Access and Convenience: Single Sign-On to Office 365

A primary advantage to enabling SSO for Office 365 is to combat password reuse, fatigue, and weakness. Passwords have become a burden to users. By enabling SSO to 3rd party applications, such as Office 365, users only enter one password to access all the applications they use to conduct business.

Single Sign-On Differences: Password Syncing vs Federation

SSO is an umbrella term that covers a number of technologies. There are two primary schools of thought on SSO: Password Syncing and Federation. Password Syncing meets the definition of Single Sign-On, using the same password for every application. This usually involves either password vaulting or requiring the user to enter the same password at every application they log into. This implementation of SSO is supported by Microsoft but it does not provide any of the benefits that SSO has come to define, such as reduced password management, application portals, and secure tokens for login. Federation, on the other hand, removes the password from the login process for each of the applications that have been federated. Instead a technology such as SAML, WS-Federation, or OpenID Connect is used to pass authenticated user information from a trusted source to the application requested. This is the preferred method of SSO over Password Syncing due to the reduced risk in syncing password or password hashes over the internet.

SecureAuth can leverage either SAML or WS-Federation for Office 365, with WS-Federation being the preferred method. WS-Federation is the native federation language that Microsoft supports and is equipped to handle authentication from web based clients such as browsers, native mobile applications, and thick desktop applications. SecureAuth can support federation for all of these entry points into Office 365. This allows users convenient access to Office 365, no matter the device or location they are accessing from.

Security: Going Beyond Two-Factor

While SSO offers ease of access and convenience it also opens up a single point of attack for cyber criminals: the password. Today, weak, stolen or default passwords account for 63% of data breaches according to the 2016 Verizon Data Breach Report[2]. Without properly securing the authentication process into your SSO solution, you could be exposing your organization to more risk. Let us be clear, SSO in of its self is not a security solution. It does reduce risk of transmitted passwords, but without proper controls on the authentication event to verify the user, it can expose all your application to an attacker.

In comes two-factor authentication. By this point, most end users are used to the idea of some form of two-factor authentication. From SMS, Email, Mobile Apps, to Hard Tokens, end users have had to use these methods to access their bank accounts and other highly sensitive applications. SecureAuth offers over 25 different methods of two-factor authentication, so finding the right methods your users will adopt is easy. But, is two-factor enough to truly protect from an attack?

Some popular two-factor methods have flaws. Knowledge-based questions and answers (KBAs) can be socially engineered fairly easily. Hard tokens have been compromised in the past and “Push-to-Accept” has been known to routinely be falsely accepted by users that are not authenticating. Recently the National Institute for Standards and Technology (NIST) no longer recommends the use of SMS/Text-based one-time passcodes because of vulnerabilities[3]. The bottom line: two-factor authentication is not enough to secure access to sensitive resources.

In comes Adaptive Authentication. SecureAuth can bolster the security of any authentication process with a number of strong context based, risk analysis layers. From checking the user’s geo-location, their access history, their device, or the threat posed by the IP address they are connecting from, Adaptive Authentication offers a higher level of security than traditional two-factor. It is truly Multi-Factor Authentication. One of the largest benefits outside of the enhanced security is the ability to dynamically change workflows for end users based on this context information. This allows ease of use for the end users when all of the Adaptive Authentication layers are passed by reducing the need for a second-factor. This greatly improves user adoption for two-factor as the users are only challenged when necessary! (Read more about Adaptive Authentication).

So, why SecureAuth for Office 365?

  • SecureAuth offers best in breed security for authentication into any application, from any device, using any data store as the source for user information.
  • Improved user adoption for multi-factor authentication due to Adaptive Authentication.
  • Enhanced security through Threat Intelligence, Geo-Location, Access History, and Device Recognition.
  • Interoperability with other security software such as CyberArk, Sailpoint, or Exabeam: (Connected Security Alliance)
  • Dynamic workflows for privileged users, sensitive applications, or irregular authentication events.
  • Over 25 different methods for two-factor authentication.
  • Ease of management, “set it and forget it” configuration.
  • Detailed audit trail of authentication information fed directly to your SIEM.

Request a demo and see how SecureAuth prevents the misuse of stolen credentials 

 


[1] http://www.windowscentral.com/there-are-now-12-billion-office-users-60-…

[2] http://www.verizonenterprise.com/resources/reports/rp_DBIR_2016_Report_…

[3] https://pages.nist.gov/800-63-3/sp800-63b.html

  • Product: IdP

Ready for a Demo?

Eliminate identity-related breaches with SecureAuth!