Hello, my name is Jeff Hickman. I'm a senior sales engineer with SecureAuth. Today I'm here to talk to you about Office365. Why are we talking about Office365, well it's one of the fastest growing SaaS applications in the marketplace for business productivity. In fact it's edging out one of the traditional leaders of SaaS applications, Salesforce, to become the absolute fastest growing application that a lot of businesses are adopting.

The specific reason that we wanted to talk to you was around authentication and allowing users to have access to Office365. It presents a real challenge for a lot of organizations, especially when it comes around ease of use. How do we secure our authentication while not burdening our users unduly? Well that's where SecureAuth comes in, we're able to use our best of breed adaptive authentication to change the authentication structure at the user goes to authenticate.

When users are leveraging SecureAuth and organizations are authenticating users through SecureAuth to Office365, whether that be any of the applications therein, such as Outlook, or maybe OneDrive, or maybe other applications beyond there, such as SharePoint or whatever else you may have. We federate the access from Office365 into SecureAuth.

SecureAuth then becomes the central authentication point, this means that you can manage all of your authentication policies from one place, rather than having to manage them in Office365 and maybe active directory. But we bring them all into one place for you. So when a user goes to request authentication, whether it's through the mobile app, maybe it's through the thick client on their device like the Word client or the Outlook client, all of that is handled via SecureAuth through federation with Office365.

Microsoft has done a great job of enabling something they call modern authentication. Modern authentication allows us to have a web based rich context when we go to authenticate any of these clients. So when a user goes to request access to an Office365 site, they'll be redirected to SecureAuth and this is where the magic happens. This is when we're able to look at the context of how that user is authenticating. The posture of where they are the in the world, the device they're using, and other details about them before we even get to prompting them for a second factor or bogging down their standard workflow as they're proceeding with their busy day.

What is adaptive authentication? Well, we have a number of other videos that really go into depth about adaptive authentication. But just in a nutshell for you we'll look at, you know, things like their geo location, the velocity of their login. We'll look at the threats associated with their IP to say hey, you know, the IP address is coming from a tor exit node or some sort of anonymous login. We'll look at all that information as well as their device posture, and as well as the group membership that they may have inside of the applications, and that you've dictated that they gain access to.

When we look at all that information one of the nice parts about what we can do is change the authentication story on the fly. So a user may login that morning from the office, you know that's an approved geo location. You saw their last login was last night from the office before they left to go home. You know the IP address is good because it's coming from your subnet or your public IP address. You know the device is legitimate because it's part of your organization, it's a work issued device. Why are we prompting for second factor in this case?

Why are we adding burden on to our end user, who may, if they get too frustrated might turn to, I don't know, Dropbox instead of using OneDrive to share files. Or maybe they'll turn to their personal email address to email that client that really important quote that they're trying to get out. All that is burden in front of the user when they're trying to gain access to their application set. So adaptive allows us to really focus on the context and when the user is going to authenticate to change that. If they do violate a rule then that's the point in time where we could ask them for a step up authentication with two-factor. Whether that's a mobile maybe push notification to their device, maybe it's a SMS, or maybe even it's a time based OTP that we ask the user to put in, all those allow the user to have an easy method of two-factor authentication, but only when it's necessary.

Only when they've violated some sort of adaptive rule, the nice part about Office365 and the integration with SecureAuth is that it is all native to the modern authentication screens. But additionally we can also support the WS Trust context for things like your native Android or native iOS mail clients. So we can fully support the Office365 authentication scenario. Now you may be asking, okay that's great, yes, two factor, why is it so important? Well one of the large things that we've been tracking over the past couple years, and the main reason why SecureAuth exists is to prevent the misuse of stolen credentials.

And we've seen out of the rise in data breach report, the 2016 report, said 63 percent of data breaches included some sort of stolen or weak passwords. The recent data breach report from 2017 said 81 percent, so we've seen a climb, about a 28 to 29 percent climb in data breaches around stolen or weak passwords. By putting adaptive authentication and two-factor authentication in front of your Office365, which may contain you know, really sensitive data for your organization that allows you to not worry so much about the password. Maybe take a backseat to it, to allow the context and the two-factor to take over. In fact, if you really wanted to, something that we are really excited about is enabling password-less authentication into Office365.

With this context, with the mobile push method of second factor, we can remove the password from the equation. And allow the user to simply put in their username, and then get a message to their mobile device. Provide their fingerprint via touch ID, and boom they're logged right into Office365 at that point. We know that two-factor alone isn't enough. We know that passwords are a real point of concern for a lot of organizations and how a lot of data breaches happen. So by combining all of our layers, by allowing us to use their mobile device for interaction, SecureAuth can provide a really robust and complete solution for securing access to Office365. Thank you for your time today, I hope you tune in, in the future.

Office 365 is now the most widely used cloud application in the world - making it a prime target for cyberattacks. Basic 2FA is not enough to prevent the the use of compromised credentials and older versions of O365 still contain vulnerabilities that can be easily exploited. In this demo, Jeff Hickman illustrates how SecureAuth Adaptive Access Control combines multi-factor authentication with risk analysis — including location analysis, device recognition, identity-based threat detection, and phone fraud prevention — to provide the highest level of identity security, no matter how users are accessing O365.