 Welcome back to Protected Trust Live. My name is Steve Goodman, Training Coordinator at Protected Trust. Joining me today, Javier Pereira. And Javier, your job title here is Project Manager, but you actually do a lot more than planning projects. In fact, you're the guy we go to when we have to explain technical things to technical people. But today we're gonna explain technical things to non-technical people. All right. Are you up for the challenge? I'm up for it. Perfect. So in our last live stream, we had Ingram, our CEO on, and we discussed our last pillar, which was Stay Secure. And we spent a great deal of time talking about multi-factor authentication in that one. And so instead of talking about it, I thought it would be a great idea to use this live stream to demonstrate multi-factor authentication. Sounds good. There's a lot of, I think, confusion that goes on when you introduce a new element into people's lives, like multi-factor authentication. And it's really simple when you just use it. Yes. Is what I've found. I mean, you've been on site and you've deployed multi-factor authentication. Do you have any feedback from our customers once we've deployed it? Like all security, it's really kind of, it's like a sliding scale, right? So as security goes up, so does administrative overhead. And as long as the expectation is set, this will make you more secure. You will have to do one more thing. There is one more widget that you'll have to press to get through this particular step. Now the concept of multi-factor and really kind of the widespread adoption of it is nothing new. Really 2010, 2011, it was almost required for a lot of the banking industry. If you were a financial industry, you really did it a lot when you interacted with the bank and you'd like check scanning and whatnot. So the concept of I have this fob, I see this little number, put the number in, that's kind of already ingrained, right? So now it's not so foreign, but a lot of people will still see it as kind of an obstacle because the one thing is, I'm willing to accept it here in this banking thing. Why should I do it for email? Why is it so important? But as technology advances, right? What has value is our information. So Microsoft has done a pretty good job of making it pretty painless to get yourself through there with some backend stuff, some finance stuff, lots of options to choose from. So that's kind of the high-level analysis of multi-factor, but giving the customer a choice and just kind of walk into them through different steps and going through it with them really helps. I never, ever advise you to say, well, we're gonna move to 365, we're gonna move our email, we're gonna start and then multi-factor on the first date. Unless you're a technical professional, that's not good for you because you're already gonna be timid about, am I doing it right, I'm doing it wrong, I can't get in, what if I can't get in? So yeah, definitely adoption and setting expectations. Hey, there's a few steps, let me walk you through it, let me make you feel comfortable. And then adoption is pretty good. Yeah, we rolled it out internally last year and we made a written document for people. And what happened was the steps were so easy and so intuitive that they skipped over all the language that was in the document. All the words that do not do this. Right, well, so the purpose of the document was to say we have a preferred way that you use multi-factor authentication because as we'll see in a second, there's different ways using your mobile device or using your desk phone that you can use to use that second factor authentication. And so people would just use the first one that they saw and it's actually the most difficult when you have to re-enter in your password because it involves getting a text code and then you have to re-enter that text into something and what if you're on your phone while doing it, then you gotta switch out the apps. So we have a preferred way to do it. That's the way that I wanna show today. So if we go to my desktop here, I'm signed in as an admin for a test organization that we have. And so what the admin sees when they go to turn on multi-factor authentication for a user, first they go, they find the user and they'll click on manage multi-factor authentication. And this will bring up, well, as you know, but I'm gonna explain it to you, like, explain to me anyway. They see everyone who hasn't enabled and everyone who doesn't have enabled. So before the stream, I enabled Alex Wilber and you'll see some people, it says enabled, some people it says disabled and then some people it says enforced. Disabled means obviously multi-factor's not turned on. Enabled means that it has been turned on but the setup's not complete. And then enforced means the person's gone through the setup and everything's working fine. That's right, all right. So for Alex, and I think what we'll do later is show a fresh setup, I just didn't wanna enter in my phone number for everyone to see. So that's why we did it ahead of time. Call you for a good time. Right, so we'll sign in as Alex, right? And this is what people would do. They would receive a prompt and outlook once we enforce it or once we enable it, they'll receive a prompt saying additional steps need to be taken in order to something. I forgot what the exact language is. There is a little backend step there. So that concept, the being prompted in Outlook, in Skype, SharePoint, those are attached to something called Microsoft Modern Authentication. Right, yes. And that must be turned on in the tenant beforehand. If not, you will get the app password experience, which I guess we'll talk about. Yeah, we'll go at that at the very end since that's so bad. All right, but back to my computer here. When I click sign in, it's giving me this new sign in experience and says we've sent a notification to your mobile device. So on my phone, I have the app installed, which we'll go through. I'll click view and I'll click approve. I don't know if anyone can really see it from that far. But I just, the app automatically opened and all I had to do was click approve. And now I'm signed into my account. So for any application that's installed on my computer that requires me to enter in a password for Office 365, I will have to go and do that for each one. Yes. And so that's what some people, they find that to be a nuisance. However, there is a 30 day option where you check a box that says, don't do this for another 30 days. But what it still does is, I think Anchorm touched on it in the last one, it says advanced AI, depending on your license. And it will know your behavior. And if it knows that you're not logging in from Canada, let's say you spend most of your life in Winter Haven, Florida, then it's gonna, you're getting an alert on your phone saying, do you want this to be approved or not? And so it's running constantly. So even though you haven't turned it on for this specific device to run until 30 days from now, it will still prompt you for any other device. And any kind of improbable logins and logging in, what if I am in Canada? So I'm logging in Canada and I've been logging in Canada for four days and then I suddenly log in in San Francisco, then Canada again, it's improbable. There's all kinds of factors that would trigger it to say, I'm just gonna ask them to do it real quick. And so what I'll do now is I'll enable Christie Klein, who I believe I reset the password for. And if not, that should be fun showing everyone how to reset passwords. So I'll check her and I'll click enable. And it'll give me another box. And let me copy her email address since it's so long. I don't think it will. I'll have to type. Sorry, Seth, I'm gonna have to type this. Now I don't know how much of a deep dive we wanna do on what the options are and kind of what the admin's perspective would be. I guess we're gonna be the user then. Well, why don't you talk about that while I try to sign into this account? Well, let's sign in and we'll see you from there. All right, what was that? Christie Klein. I think I actually went to the next page. There we go. Christie C. But I think it gives you a lot more options than many other multi-factor services in terms of where you can do it from. Cause most people I think will give you a cell phone. I like that it's all there already. And you have a few options, right off the bat, there's really nothing, no third-party services. It can be enabled user by user so you can enable it in a high-valley targets. You can enable it on a pilot group and just really no pressure. It's not an organizational change if you don't want it to be. Okay, so yes, I reset the password. All right. All right, so back on my desktop, if I entered in my email address, I entered in my password and so now I have this new login screen and I'll click set it up now and it'll redirect me into the setup page. So what we ran into was, I'm not sure if these were the same order, but people would not choose. Our preferred method is to use the mobile app and use verification, or no, sorry, receive notification for verification. So all that is is when you're prompted to sign in, your phone will buzz or it'll alert you and all you have to do is click approve or deny. And then you're good for the next 30 days on that app. But what people were doing was they clicked on the first option, authentication phone. They entered in their phone number and then they were right. So they were getting phone calls. So they had to get a phone call and they had to press the pound symbol and they had to do all these other things instead of just clicking approve. Right. And so people would start yelling at me saying, hey, this is too hard, I can't do it. I said yes, but if you would have read the directions, which they didn't, so we made a video which shows how to go through this in the right way. Now, one of the reasons that's there is having multiple methods of authentication is one of the things that Microsoft likes and one of the things that I like, I don't like being kind of tied to one method. And you can, for example, let's say you don't have the app or you've lost your phone and you can't generate whatever necessary text to generate that code by having that recovery number or recovery email or like a recovery landline phone number put in, you can still get in with another method. It doesn't have to be the method that's preferred, but it can be preconfigured. Right. So as an admin, you can collect all kind of cell phone numbers for folks and pre-populate before your MFA rollout and pre-populate them as the recovery number. So when the user gets to that step instead of having to select that number's already there. So it's meant boom, boom, boom, bring your text number, now I'm in. And so at that point, you can walk the user through changing methods or you can change the method for them if you're gonna do it with them. But I like having both methods simply because what if you're, you know, what if you're somewhere where you have phone signal or you don't or you don't have data or I don't wanna be in a bind. You know, I don't wanna be in a bind where I can't get in. So I use the Authenticator app notification as well. Or other organizations, we use the phone call. It didn't bother me all that much, but it really depends on your preferences. Well, when you're trying to set it up on your phone, that's where it comes in. Because the guide happened because I tried all different ways and I found the most complicated way was, and it sounds like the easiest way, oh, I just get a phone, I pick up my phone and I press the pound sign. But while you're trying to get that on your phone, receive the call on your phone and do it all from yourself on, it's very difficult. So one thing I kinda missed was setting up the actual app on your phone. So that's the one kinda gotcha, the one additional step that we find people, you know, the big issue people have with this step is, now I need to remember the password for my iCloud account, or my Android store account, right? So you do have to download an app from Microsoft, the authentication app, in order to get this to work. But after that, you literally just scan this. That's included with the app. And that's a pain point, that's a pain point that is encountered often. Which is, it takes me a little, I had to do four steps so that I only have one step from this day forward. And sometimes people shy away from it, but it's, I mean, it's what would you rather do, recover data, you know, or, you know, spend three minutes of your time scanning and downloading an app. Right, exactly. But you know, it definitely becomes an obstacle sometimes when like what's my iCloud password, I don't know. I don't know, my signal's terrible, I don't get on the, what's the Wi-Fi password? I mean, it can have its drawbacks. Right. And so like you said, you do have that secondary method that it makes you choose. Cause, you know, if you lose your cell phone, then you're out of luck. So it does give you that second option. What it also does is it allows you to change your options. Correct. So, you know, even though you may like using our preferred method of downloading the app and using the app to authenticate, maybe in the future you may not like that. So you can always go back and in your account settings you can change your personal preferences on that. So if you wanted to ring to your office phone and set your cell phone or vice versa, you can make those kind of changes. You can figure all of them. Why not? Yeah, you can figure all of them. Yeah, or you could do, or yeah, that's right. You can check the box for every single one. So you're not just limited to two options. You're really backed up. So if everything goes haywire, you could still get into your, you can always get in there. So I think that brings us to the thing. Oh, the app password. The app password. So talk to us about app passwords and why they exist and why this is so much better than app passwords. Why so much better than app passwords? So, before the modern authentication concept, I think it's exchange, I mean, it's Outlook 2013 or newer, you know, SharePoint, Skype for Business, it, if it's activated in the tenant, there is some information that it says, okay, the user has entered their username and their password, their actual username and their actual password. Using this new technology, it's able to trigger the multi-factor and bring up the acknowledgement window during that process. But that's, it's very application dependent. So your application must be aware and understand how to utilize modern authentication. And that's relatively new feature. We really kind of just turned it on when we were doing our part of the project. Before that, we were just relying on app password. Now, this is one of the most complicated things to have to explain. App password is a one-time only visible, randomly generated password that can be entered into applications that do not understand modern authentication. So that's a lot of way of saying you press a button and you'll see a password one time and one time only. You cut it and you paste it into whatever application you're attending to configure that's gonna interact with your 365 data. Then you leave it there and you don't think about it again. What's gonna happen is you're gonna have your username and an app password. So up until recently, the native Apple mail client did not understand modern authentication. What it would do is you'd have to put in your email address and an app password. The reason it's only visible once is because it is best practices to keep generating one app password per device. And the reason you'll do that is I'm setting up a mail on my non-compliant mobile device, put in my email address and my app password. I am setting up my non-compliant tablet or other version of Office. That's two app passwords. And then down the line, whatever's gonna be interacting with that 365 account. Now I have four or five app passwords that are listed and visible within the user account. You can actually disable one specific device one at a time. But the gotcha is you have to go in, grab it. You shouldn't save it. You just copy it and get into that session and then move on. And what do people end up doing? They end up copying it and pasting it into a text file and using it one app password for six applications. That's right. That's right. And so very, very complicated because you can't remember what it is. You only see it once, that's right. You only see it once. And so you end up having to putting it in a text file and then looking at it later. And then looking at it later. Which is defeats the purpose of having it. It defeats the purpose of the app password, yes. And so if I could just show, if I can remember off the top of my head, do you remember where it is? I do, and it makes no sense where it is. It's security and privacy. Security and privacy. Okay. And then you go to... Additional security. And then it's update your phone number. No. Yeah. No, it's create and manage app passwords. Click the top one. Click the top one? Yeah. So now here's where you manage it and then there's app password. Oh, I see. Yeah. It's great out. People think it's not an option. That's right. It's a different shade of black here. It's not great out. It's just a different shade. So if I click on that, I can create a new password. And so what's the purpose of giving it today? So again, ideally this would be a one time use for one instance. So let's say it's Android tablet, Office 365 supported third party vendor tool. And I would be able to have one app password per each. And then they can be individually deactivated. So I can deactivate one, but not break the other. So if a device you think it's compromised, you can go ahead and sign into your app password list here and delete it. And that way the person can't access it even though they have your device. And so yeah, there's the randomly generated password here. How many characters is that? It's gotten longer. Has it? All right. And so because I didn't copy it down, I have to delete this and start again. Right. So if you were to say, I've lost my surface and I understand that it's set to hold on to my authentication for 30 days. Whatever mechanism you've put in place to get in it, this could be deleted and now it stops communicating. Now it's no longer authenticated. Now I know at least a couple of months ago modern authentication had to be turned on by your admin. Is that still the case? It's still the case. It's still the case. That I've seen. Yeah. Which is upsetting because modern authentication, the thing that lets you use the apps for your devices and your apps is so much easier. Yeah, it is easier. And so I would think that they would just turn that on by default, but. There's a whole kind of web concept of how these work together. You turn on your MFA, you turn on your objects and you turn on modern authentication. Then you turn on, if you were to synchronizing your local Active Directory with 365, you can turn on what's called seamless single sign-on. And then the experience becomes really great. I'm a new user, I'm setting up Outlook, I launch Outlook, it sees my local Active Directory credential, I see a brief flash of the authentication. I do nothing. It's basically doing it all on its own as long as it's all been configured. It's got a few little switches that you have to turn, but it's really leaps and pounds ahead of where it was. It's much easier than, again, the app password, which until maybe middle of last year was how you were destined to set up your five devices. Right, and it also gets rid of the need of having that 90-day password policy where you're constantly having to come up with a new password. And I think that's where this all came from, is in order to have a secure environment you would have to have some sort of password policy where your password would be changed at some interval. Right. And... Well, password history then, so that kind of ties into the password history. So I change my password every 90 days and I have a password history of five passwords. That means every year, right, it's fall. This is my fall password. Right, and so people would, and Ingram said it on the last livestream, people would just add an additional character at the end of it. So it's not really making it any more secure. And of course, if that's not an option, if it makes you change it to something, something hardcore, people would just write it down and put it on the poster. Right, yeah. So it's definitely more secure just to use modern authentication and using the mobile app. Absolutely. So that's all I had to say today. Okay. Do you think we covered it? Yeah, I think it's good. I mean, it's a pretty simple concept. It's a concept that's been, like I said, it's been around for a while. You have so many options you can call your cell phone. It could text you. It could generate the notice on your phone. You can open up the notification app, the actual Microsoft app and type in the number. That's something that people are very used to in the banking industry. It's there for you. I mean, it really lets you, you have different comfort levels. You know, it can be enabled user by user. It's a great tool. It's available with every license site. You know, you can use it for, like I said, your high value targets. You can use it for your problematic targets, right? Right. The people who are prone to compromise, they can be enabled just for them. So it gives you a great deal of flexibility and added value as it's already there. Right, because as we saw in the beginning, not everyone was enabled. We got to choose exactly who it was. Exactly, exactly. So yeah, I think we'll end it there. So thank you very much for joining us today. Alrighty. And thank you all for joining us today as well. Join us every Tuesday and Thursday at 2.30 p.m. to see another live stream where we'll tackle another topic. And thank you to our clients who make these videos possible.