Sarah Lefavrais | IAM Product Marketing Manager
Thales and Microsoft: a long partnership in Identity Security
Thales and Microsoft recently celebrated their long-term partnership at the Microsoft Security Excellence Award Ceremony during RSA Conference 2024, as Thales won the Identity Trailblazer Award. This award recognizes a Microsoft partner that is a leader in the identity space and has continually delivered innovative solutions or services with Entra ID to improve the customer experience. This partner drives major identity-related initiatives and educates the market on how to protect identities. Crucially, this award recognizes the teamwork carried out over several years by Microsoft and Thales to help organizations secure their identities when migrating to the cloud.
Multi-Factor Authentication: the mandatory first step for organizations moving to the cloud.
Any IT Security professional in charge of IT environment cloud migration knows: there is no way to move the sensitive digital resources of an organization to the cloud, Microsoft 365 environment included, without securing their access. A few years ago, the world of enterprise adopted Microsoft Cloud (Azure, Office and Microsoft 365) and hackers relied on this global success to target Microsoft Azure customers with sophisticated attacks.
- In 2021, Microsoft exceeded 200 million active users on Azure AD, 200 million paying users on O365 apps, and 145M active users on Teams (source: Microsoft).
- Microsoft also announced that they discovered in a particular month in 2020 1.2 million ATO attacks against their customers.
- The SolarWinds attack that compromised victim’s Microsoft365 accounts hit 100 companies and 9 US Federal Agencies.
But there is one simple solution to drastically reduce the risk of account take-over: enable Multi-Factor Authentication. A study published by Microsoft in May 2023, confirmed how MFA is effective at deterring cyberattacks and showed that the use of MFA reduced the risk of compromise by more than 99.2%.
Passwordless authentication: a key success factor in the digital transformation of organizations
Organizations moving to the cloud are looking for robust solutions to protect access to their data, while meeting the new expectations of their end users who need quick and easy access to the company's digital assets.
Employees, suppliers or consumers are completely overwhelmed by the proliferation of passwords to access the online services. Moving from passwords to more modern authentication methods is becoming essential for organizations to protect themselves against cyber threats, improve the user experience and reduce password costs.
Enabling passwordless MFA for Microsoft cloud environments
While enabling Passwordless MFA appears as the gold solution to secure access to sensitive data in the cloud, organizations are facing challenges when planning their deployment, such as:
- How to activate MFA on all my users? Even the one without mobile phones?
- How to secure access from all my devices? Even Mac?
- How to improve my protection against cyberattacks? And avoid MFA fatigue and push bombing?
To help organizations address some of the challenges they are facing in their passwordless MFA journey, Thales and Microsoft have combined their offerings to provide a more powerful and flexible solution for organizations to expand passwordless authentication everywhere.
Securing a large variety of user authentication journeys
Many organizations moving to Microsoft 365 rely on the Thales SafeNet Trusted Access cloud service to optimally manage all the authentication methods their employees use to access enterprise resources protected by Entra ID. SafeNet Trusted Access offers one of the most comprehensive portfolio of authentication methods on the market, enabling organizations to secure the variety of their users' authentication journeys, depending on the context and devices used.
- With Thales hardware authenticators:
- End users access digital resources from a large variety of devices, such as windows desktops, Mac, and mobile phones.
- They use a single authenticator for multiple operations, including digital and physical access, file encryption and digital signature.
- Certified by the FIDO Alliance, FIPS or Common Criteria, Thales hardware authenticators simplify the compliance journey for large organizations operating in regulated markets.
- In addition, organizations benefit from a large variety of software-based authenticators compatible with Windows and non-Windows devices such as
- applications to download on their mobile phone or laptop.
- pattern-based authenticator that does not require any software installation.
Optimizing IT costs
By delegating authenticators administration to SafeNet Trusted Access, organizations reduce IT overheads thanks to end users self-provisioning, or IT driven automated provisioning and administration.
Get a future proof integrated Thales Microsoft solution
Thanks to a new capability recently developed by Microsoft in Entra ID, called External Authentication Methods, currently in Public Preview, organizations can rely on a future proof standard-based integration between Entra ID and SafeNet Trusted Access and enlarge the use cases where they rely on STA for MFA
Adopting a hybrid phishing-resistant authentication approach to fight against phishing attacks.
In the past few years, many organizations have witnessed attacks, known as MFA push bombing or MFA fatigue, where criminals managed to bypass MFA protection due to weaknesses in the MFA implementation. Not all MFA solutions provide equal protection against authentication attacks, and there are critical implementation details that can impact the security and usability of an MFA deployment.
Considering the prevalence and success of MFA fatigue attacks, many governments and security agencies such as NIST and ENISA now recommend organizations to move to phishing-resistant MFA when possible.
Thales and Microsoft provide organizations with the ability to deploy phishing-resistant MFA based on FIDO standard or X509 Certificates. Considered as the future of passwordless authentication, FIDO standard (Fast Identity Online) is not supported by all legacy IT resources yet (legacy VPN (Virtual Private Network), VDI, internal application etc. ...). By deploying hybrid phishing-resistant FIDO/CBA authenticators, organizations can in the short term protect access to their sensitive legacy digital resources from phishing attacks with CBA (Certificate- Based Authentication) while enabling FIDO to protect their modern web resources.
Organizations can manage Thales FIDO/CBA hardware authenticators directly in Microsoft Entra ID or in SafeNet Trusted Access.
Passwordless Phishing-Resistant MFA for true Zero Trust Approach
Organizations using Microsoft 365 should strengthen their Zero Trust approach and protection against phishing attacks by deploying Passwordless MFA everywhere - for all their users and across all their devices.
To learn more about SafeNet Trusted Access as External Authentication Method in Entra ID, read the latest Microsoft blog, Microsoft documentation and Thales documentation.
To learn more about Thales FIDO/CBA hardware security keys compatible with Microsoft, look at this video and read this documentation.