 Pleasant good morning afternoon or evening to those of you that are joining us. My name is Kevin Mulholl and the technical customer success manager here at TechSoup. Today in our virtual office hour, we will be discussing how to reduce risk by managing identity threats. With us today, we have Linda and I'm hopefully I'm going to pronounce your last name, WIDOP correctly from Tech Impact as well as Francis Johnson. The chat is open when the Q&A session does come up. You will be able to come off of mute and ask any questions that you do have. This is going to be very open and free flowing and topic, but we hopefully can get some good questions. You're also welcome to put them into chat. For those of you that are need of closed caption, depending on whether or not you are on the web browser version or the desktop. In the desktop and near the upper right, there is a three dots that reads more. If you click that down, the full expanded menu has closed caption there. If you are on the web browser version, if you scroll your cursor down towards the center middle of the screen, you'll see those three dots again, you expand the menu and you will have the ability to view closed captions from there. With that, we're just going to go ahead and get into it, and I will come off of Mike and camera and let you have that, Linda. Thanks, Kevin. Hi, everybody. Like as Kevin said, we're a little bit light on the presentation piece of today's session because we're hoping for some good questions and dialogue. We're talking today about managing identity security. Francis and I work for Tech Impact, we're a 501c3 nonprofit whose mission is to leverage technology to advance social impact. We provide technology services to nonprofits across the country and across the globe. We do a lot of managed IT support services. We do a lot of Cloud migrations, a lot of security work. We have a consulting team that does strategic planning. Data analytics and that kind of thing. We're like a nonprofit to nonprofit tech services. We also offer education and training. So we do webinars and research papers, we produce the consumer guides that many of you may have downloaded for nonprofits. We also run a workforce development program. So we're training young people to get their start in the technology services field. So here's a link to our Technology Learning Center. If you want more information about, we do have some information about Identity Management and Security stuff right there. So you could just go to techimpact.org and look for our Technology Learning Center. I'm Linda Witteb I'm the who knows what I am now. I'm the Chief Customer Officer. I know like my title changes, it's all ridiculous. I've been with Tech Impact for almost 20 years, and I basically do new business development and manage our account management team. With me today is Francis Johnson. Look, I got your title right. There you go. Hi everybody. So yeah, my name is Francis. I am the Chief Technology Officer at Tech Impact. And essentially, I just manage a lot of the technical side of things. So we, as Linda said, we do provide a bunch of technology services, manage IT support, cybersecurity, infrastructure, etc. So I manage a team that delivers that to nonprofits all across the United States. And the interesting thing is that you're also our Chief Security Officer. That is true. For our internal, right? That is true. So you manage all of our internal security. Right, so at Tech Impact we have 110 employees. We have four offices in the US and then we've got people, you know, working remotely from who knows where and you're managing all that for us internally. Yeah, I am. It's a struggle sometimes, but it's yeah, that's something I also do. Can you turn my multi-factor authentication off, please? So I don't get bothered by that anymore. Well, we'll take that offline, we'll take that offline. I think that's a no. Okay, great. So we have a quick, you know, a really short agenda for us today. We're just going to talk a little bit about a presentation that we put together so that when you, if you want to download the recording, like, you know, you have some slides to refer to, right? So at Tech Impact when we think about, you know, the different vulnerabilities that are out there, we're looking at five major categories of vulnerabilities. There's a lot of nuance here, but all of this is really to protect your information. The whole goal of cybersecurity protection is to protect that information that you have, whether it be your customer information or your donor information or your cases, you know, confidential information, whatever it is, we want, that's what we're trying to protect. And so we have a lot of things that we talk about around device management, you know, make sure your Windows updates and all that stuff, your network, your firewalls and that kind of a thing. Policy and training is a big, big one, but today we're really going to focus in on that account and identity, that blue one there. You know, 80% of all data breaches start with compromised identities. I mean, that's been, I've had this slide in my decks for eight years and it's always the same number. It might have gone up to 85 at one time, but it's always been about 80% of all data breaches start with compromised identities. And so you can see why, you know, this is like one of those main things that we really have to focus in on, because it's not if it's when. Data breaches cost a ton of money. We're talking about dollars here to recover from a data breach, the investigation, the workstation network and server recovery, the user credential recovery and all of that, restoring the data back to normal costs, you know, thousands and thousands of dollars. In addition to that work that, and this is like, this is the part that tech impact us. We do all this stuff and the people who, you know, our own Francis's team are, you know, asked to do this kind of work and we have to charge for that work. So even though we're a nonprofit, we're charging other nonprofits to do this work because we have to, you know, account for our time. Additional costs could be for legal guidance, breach notification. So if, you know, I mean, we've all had this happen. I think we've all had this happen, I have. I've gotten notification from, you know, a bank or a, you know, Home Depot or, you know, something like that. Hey, we think your data's been, may have been compromised. So that has, that's that notification that goes out. And then there's that credit monitoring, right? I have personally received three years free life lock because my information got out from, I think it was my old college. I don't, you know, I don't even know how it happened. And then there's the forensics. If we need to, because we're under contract with a government or we're under a compliance where they want to know how it happened, we have to do that forensics that also cost a lot of money. This is the stuff that tech impact doesn't do, but you'd have to hire somebody else to do it. And then there's those intangible costs, right? That especially as a nonprofit, we're talking about lost trust from funders, from donors, from volunteers. If you're an organization that provides, you know, meal assistance and you've been compromised and that gets out, a donor might say, I'm not really confident that I want to give my money and my information, my credit card information and everything to that meal program. There's another meal program down the street. I'm going to start to donate with them. I was at a conference two or three years ago where a major international care organization, the guy got up in front of everybody at this conference and just let it all hang out. And he said, we were breached and we had all these servers and all the servers were compromised and locked out. There was one server in our African office that happened to be down for maintenance. It's the only reason that we're operational today. And they calculated something like 1.2 million dollars in lost donations because once word got out, you know, individual donors went other places for their, you know, for their donor, for their donation. So 1.2 million dollars, I mean, that's pretty significant. So again, today we're talking about account identity and how to prevent data breaches by focusing on that. And can I just jump in here real quick? And so I want to also just highlight the reason, you know, as Linda said, a lot of different ways that, you know, attacks can happen. But if you look at it this way, with devices, network systems, et cetera, the onus is not necessarily on every single person in your organization, right? Not every single person is involved in, you know, patching your network firewall, for example. But every single person in your organization has their unique email address and password or username and password. And so that's the surface area, so to speak, to attack is very, very large. You know, depending on how big your organization is, obviously, and the onus is on the person and the individual. And that's why it's very important. It's not the most important thing, but it's the things that we like to really, you know, hone in on and explain. And so we're obviously gonna jump into a few slices to dig in here. Yeah, yeah, that's a great point. Thanks. So, you know, account and identity management, you know, what are we talking about here, right? We're really just talking about providing access to systems and data. And one of, so Francis, chief technology officer, you know, some chief customer officer or whatever. But we really need to also talk about this from a human resources or an HR perspective. Because employee on it, onboarding and off boarding, right? We have to make sure that our new employees and new staff have a policy that is presented to them, that they understand and that they agree to in terms of, you know, computer use policy and that kind of a thing. But the HR person and the technology person need to work together to make sure that we're doing the right things, providing unique accounts. And that's hard for a lot of nonprofits. Sometimes we need to get into these systems that cost us a lot of money. And we go, you know what? Instead of buying 10 user licenses, we'll buy two user licenses and we'll let everybody share them, right? And so from a data, you know, identity perspective, that's not a great idea. Creating passwords and making sure that everybody understands that they have to have past, you know, 16 characters or whatever it is with upper and lower and weird things and all that or past phrases. And having centralized account management, right? This is back to that HR and IT director. You can't let everybody be an admin into every system because then, you know, things go awry and we don't really have it locked down properly. Using password management tools, multi-factor authentication, we're gonna talk a little bit more about this and single sign on would be a good idea. Do you have anything to add here, Francis, that I missed? No, no, this is good. I mean, it's everything we're gonna dig in a little bit deeper into. But yeah, you made a good point about, you know, the account management. The unique accounts are very important, even though sometimes it might not seem feasible. It is important that every person that logs in has a unique authentication against the system and we'll dig in a little bit about that and obviously talk about that throughout the presentation. But yeah, we can move to the next slide though. Great, yeah. I mean, so for password practices, you know, I think this is pretty, you know, common knowledge, right? Yeah. Make sure you could, you know, make your passwords as long as possible. On the last slide, I had 16, now I have 20. What's the, what's the going right here? It's, well, it depends on what standard, but yeah, between, it starts at 16. I think 16 is, 12 to 16 is usually where most systems, you know, prompt folks for 12 to 16 and then the upper lower, upper and numeric, et cetera. Do you agree with the use of passphrase or would you rather just see a jumble of nonsense? No, I think that the reason you do a passphrase is so that it's easier to remember because the other, the problem with complicated passwords is that it is hard to remember and I think we're going to talk about how to help with that from a tool perspective. But the reason you do a passphrase is so that you can actually remember to type, you know, you can remember it so you don't have to write it down on the infamous notepad on your computer screen, right? That's not what you want to do there too. So the passphrase thing is really for the end user to be able to have a long password and also not forget it and therefore have to write it down because you never want to write down your password, right? Yeah, and the number two thing here, do not reuse passwords. A lot of the systems that we use will not allow us to use an old password. Like if it says, you know, create a new password and I try to put an old password in, it kicks me out and says, nope, you've already used that. You have to choose a new one, right? I mentioned earlier that I got, I received a notification from like a college that I have like, you know, look at me, I'm old. I haven't been in college in a long time, right? But somehow my user credentials got out. That's a good reason, right? If they stole my old username and password into my old college login and some years later I start, like it's not good. So I'm okay, right? They got my, they maybe got my name and, you know, information but when they tried to put that old password in somewhere it's no longer valid anywhere except if I start to use it again. So if they've already gotten it and I start to use it again then now I just opened myself up again. So that's no good. You know, don't share passwords. Unless you absolutely have to. I can't think of one reason why I would absolutely have to share a password with anyone. I don't need, Francis, you don't know my passwords. You don't know anybody's password. You're the chief security officer. You don't need passwords. And yet I have customers that constantly say to me, by the way, if you need to know all of our passwords I have it in a spreadsheet. What? Why would you need to do that? Yeah, exactly. Right. That is not the way to manage passwords. There's definitely better ways to allow people to manage their passwords, but yeah. So I know a guy who doesn't have any password manager. He doesn't have any passwords written down. He never reuses the same password. His passwords are always 20 plus characters long. How does he manage that? Because every time he logs into his system he hits the forgot password button. Every single time he logs in, whatever the system is, he hits forgot password and then it sends him an email and gives him a link that says create a new password and he goes in there and he just puts a jumble of whatever it is in. Next time he goes into that account, forgot password. How's that? For a tactic, right? I can see some holes in there, but we can talk about that. Yeah, the last thing on this screen is multi-factor authentication and what is multi-factor authentication? Would you like to explain this, Francis? What is it? And it's Sympos form. It's just another way factor to authenticate against the system. So we talked about passwords, and so you put in your username and password, you've basically, that's your first factor of authentication, right? In order to bolster up your security and making sure that again, if you have a compromised password that basically opens up the door to whatever system you're logging into. In order to at least add another level, you turn on something like MFA. And MFA is multi-factor. You've probably heard about 2FA, which is two factor. Multi-factor is really the more secure way to even do that because you wanna be able to do more than two ways if possible. So the second factor in this case or is basically prove that you are who you say you are and that password is not compromised. You can use something like a mobile app that you can basically push to use an authenticator on. It is not, I don't really recommend this, but this is something that a lot of systems still allow, which is an SMS text to your phone, et cetera. Email, wherever you can basically have set up to essentially send a additional layer of authentication too. And then if you wanna go beyond that, then you can do things like conditional access with multi-factor. So it's not just that you put in your password and that you're authenticated. You also have to do something like be using a specific device or be in a certain location so that there's really additional ways to prevent a compromised password or a compromised phone number or whatever to allow somebody to get in. So. Yeah, and the theory behind multi-factor authentication or two-factor authentication is that even if a criminal got your username and password, they probably don't have access to the physical device that they would wanna get that to, right? So they don't also, in theory, they don't also have your cell phone or they don't also have your laptop. So that's the way that they can do that. And as the Chief Security Officer, you're managing all of our internal things. Do you see that if that happens? Like, do you see cyber criminals trying to bang up against our like trying to log into our accounts unsuccessfully because they don't have the multi-factor authentication? Is there like a log that you can see on that or? Absolutely, yeah. So we use Microsoft 365 for most of our systems internally. And so there's additional tools within the 365 stack and they have a security stack and have a bunch of add-ons, et cetera. And that allows us to not only, you know, react to certain things, we can actually see things as they happen. So in this month of October, which is Cyber Security Awareness Month, but it's also a really busy month for hackers, we've been really getting hammered on our tenant specifically and basically understanding where things are coming from so I can see where, you know, attempts are coming from and they all fail mainly because they do not even have the first attempt, which is the password. So nobody's password is compromised and therefore it's just failing at the first attempt and there's a bunch of things that happen once that happens. We have, you know, account lockouts and things like that. So yeah, I mean, being able to monitor that and see how it's going. And basically, even if, so really the question comes down, if somebody were to compromise or have access to any of our internal accounts, the attacker would get in with the first factor, which is the password, and then they will be basically prompted with an NFA prompt, right? And then I can, at that point, then there's a bunch of alerts to come out because then it comes down to, somebody just logged in with Linda's account from, you know, North Dakota, and that's not where Linda is usually. She's usually in the Philadelphia area, unless Linda just traveled to North Dakota, you know, five minutes from when the last time I talked to her, that's a very bad, you know, that's a weird location for Linda to show up all of a sudden. So there's an alert that goes out, and in addition to an NFA prompt, there's also alert and a mechanism behind that, that essentially locks Linda's account down. So there's a bunch of things that happen, that can happen on the background too, to assist with the user experience as well. So. And the more sophisticated stuff isn't available in every multi-factor authentication system. Yeah, but there's definitely some, yeah, there's features that can be added, and you know, it's one of those things that, because it's not, you know, if, but when it becomes basically a necessity to look into just adding as much as possible to those things that can stack up and allow for more security, more analytics, more insight into what's going around, you know, what's happening in and around your systems from an authentication perspective. Yeah, cool, great. So from multi-factor authentication to single sign on, right? Yeah. Single sign on, I talked about the HR person, I talked about HR and IT, right? As a user, a single sign on means that we have an application that a user logs into, and once they log into that application, in the background they're logged into, all of the systems that they have, you know, that they're allowed to log into and they have access to, right? And I like, yeah, like, I like single sign on because from an HR perspective, we put it on the human resources manager when they're onboarding the employee to know which systems that particular employee is allowed into. So if they're not in the finance team, they don't get into the finance, you know, system, they might get into Microsoft or Google or whatever, and they can settle that up. The IT people can create user names and passwords to all of those systems that are really strong, right? That strong password, and then give the employee one place to log in. So for me, we have single sign on it, I have Microsoft 365, I have Paycom for my payroll and time off request, I have Concur for my expenses, I use HubSpot, and we have an internal system called Harmony, right? So I have like seven or eight different things that I log into, and with single sign on, I only need me personally, I only need to know my Microsoft 365 username and password and get the multi-factor authentication thing from one. Once I log in there, I'm logged into everything else with the same password, even though on the back end, Francis's team has set me up with some ridiculous long password, right? So that's single sign on. So from an HR perspective, we can really manage who has access to what and not allow them to set up these accounts on their own. From a security standpoint, we know that all the systems accounts have really great passwords on them, but from a user's perspective, I don't have seven Post-it notes. I only have one Post-it note. I'm kidding, Francis, I have no Post-it notes, because I know my... I knew you were joking. I've heard this joke before. Yeah. Anything to add about single sign on? Yeah. So, well, a couple of things. Kevin actually just put something in there. So we're talking specifically Microsoft 365. You can use a Microsoft 365 or Google workspace as your system. They have single sign-on capability, or you could get a third-party identity manager like Octa or... I got that. I'm drinking out of the mug, yeah? Yeah, and there's other folks like Octa that also can layer on top of your 365, your Google or whatever system you use. So that's one thing. So single sign-on is very... There's a lot of benefits to single sign-on. The flip side of it is, as Linda said, once you get into one... Basically, once you get into the Microsoft account, you have access to everything, right? So it's kind of like the key that opens up a bunch of doors. And so with single sign-on is very, very important to make sure that the security of whatever identity manager you go with, whether it's with the Microsoft Azure Active Directory or Google or even Octa, that those accounts are secured because they are essentially the key that opens up a bunch of different doors once you log in. And so that's the piece of it, right? Yeah, that's a great point. So I think this is our last slide and then we can jump into questions. Password managers. Password managers allow the... I said I had seven post-it notes. I don't, I'm a password manager, right? So every time I do need to set up a new account, like even for my personal banking and all that stuff, right? I put all that, I could tell you the one I use the most often is my American Airline Frequent Flyer password. I just have to have it in a password manager because this way I can... I don't use the same combo for multiple systems, right? So that's for me personally. You want to talk a little bit about, like these are the three main ones, right? Dashlane, which I think I know you can get through TechSoup, LastPass, which a lot of people know about and use and then the other one, Keeper, that maybe not a lot of people on this call are as familiar with. You want to talk a little bit about those password managers and any differences that you might think. I mean, they all essentially do... I mean, they have different features for one to the other and whatnot, but I mean, from just a core functionality perspective, it allows the person, as we said, we started off with the passwords and the complexity of the password and what you're not supposed to do in order to take all of the hard work of figuring out your 20 plus character password, you use one of these things, right? You use one of the tools that we have on the slide, right? So it allows you to generate a password, it basically securely saves it into your vault and it basically gives you a quick access to it. All of them have browser extensions. So if you use Chrome and you have to log into a bunch of websites differently, you can basically have them attached to Chrome or Edge or Firefox, whichever browser you like to use. And when you go to the website, you can essentially take your password and populate it securely using one of these provider's extensions. So it really, it's really just allowing you to check off some of these security controls specifically with your password without putting a lot of burden on each and every one of you. This is the tool that allows that to happen, right? And so it's great. And it's not really just for your organizational use, you should use it on your personal use as well. Like you have a lot of accounts, you have your bank accounts, you have et cetera. This is a good way to make sure that every single account, your individual accounts and your organizational accounts are secured from a password protection perspective. Great. I know Chris likes Keeper because it has centralized administration for the IT person. Yeah. So yeah, like Keeper has the enterprise version where you basically can assign users, your staff members, each their own votes. You can manage that. It's easy to onboard and off-board somebody and allow them to create it. And just from a management perspective, also allows you to, as an organization, essentially force this type of behavior and then basically roll it out to everybody and have them actually use it. Yeah. So it's, yeah. Some of them Keeper definitely has and I believe Dashlane as well, yeah. Okay, great. Cool, good. So we're on to the questions part of the session. I think we did pretty good time-wise. We have about 25 minutes left in the session. So I'm gonna stop my screen share and then, Kevin, I don't know how you wanna open it up for questions, just unmute yourselves or how's that work? Yeah, we actually have two questions that came in. I'll start actually from Jim and Nathan. I'll start with Nathan, because you kind of did just speak on this. Do you have a recommended password manager? Our team currently uses LastPass? We've seen a lot of good things with Keeper, right? We've seen a lot of good things with Keeper. They have a good price point. I think they have non-profit pricing. And I think the big thing about password management is that going back to how you're looking at it from an organization perspective, you want something that you can manage and centrally manage if you can, something you can roll out, something you can basically allow everybody to have access to and see how, basically on-board and off-board, et cetera. So just in terms of what we at Tech Impact usually have had the most success with, I would say Keeper, I think Dashlane would be fine too if you wanted to evaluate Dashlane. Great. That kind of goes into Jim's question. And this is actually a really good question. I think Francis, Lynn, you could definitely speak on this. Is what about browser-based password managers? That's interesting. So yeah, I'm guessing you're thinking like a Google Chrome. So like with Google Chrome, you basically, if you have a Google account, even if you don't, right, you can essentially use the password manager on Google Chrome, I think Edge has its own as well. Okay, so the only issue, well, there's a couple, but the one that I like to call out is the fact that because the browsers also run into a lot of vulnerabilities, so I don't know if you've been looking at the news recently, Google Chrome has had a lot of call out in terms of vulnerabilities, right? And so basically, if you don't update or if you're not updating your browsers as much, I'd be real, like, unless you're closing out your browser every day after work and opening it up and allowing Google to update it automatically, you probably have the red update, right? There's so many times I work with a client and they're using a Google and there's the big red update, like update option on Google Chrome. If you're somebody that updates your browsers regularly and making sure that you're on top of things in terms of vulnerabilities, sure, but I think the problem there is that if you're not and essentially your Chrome and your account, your Google account and your Chrome account is exposed and then you have a bunch of passwords that are just lying there as well, there's basically a bunch of risks attached to that, as opposed to having something that's separate, even though it might have an extension on Chrome, it is separate and not involved at all in terms of how Chrome's vulnerabilities work. So I like to separate some of my, if you think of it, I like to separate systems if you can, right, that put everything in a one system. So that's why you would probably do something I got octave for single sign on as opposed to using everything in Microsoft 365, just making sure that there's enough separation. We call that air gap and so to speak, so that if one of your systems were to be compromised, maybe not by yourself, but the vendor itself, you will at least have something separate so that everything doesn't go down at the same time. And that's the same when you're looking at your network or anything like that. So I would just be careful about using a browser, password manager for some of the things I just mentioned and just keeping it in a separate and a secluded system like a Keeper, Dashlane or LastPass. Yeah, they went on, Jim followed up a password manager from Okta that's integrated part of it. Yeah, I totally, Francis totally hit it on the head is that needing to have that degree of separation if you follow anything in security news, all these Chromium browsers, Edge, Firefox, Chrome, the amount of attacks that they face is just overwhelming. So I got another question here from James. Any comments on Norton 360 password manager? I haven't used it, but keep getting reminders. You get a reminder. Okay, another two left first. It's not a bad thing. It's all of us keep getting those reminders and it's the thing that we just kind of put off. It seems like as much as we can. Yeah, I've been evaluated in Norton in a while to be very honest. I can't give a straight up answer about it. So yeah, I don't have a direct answer on it. I laughed because we all have dealt with Norton some capacity, but I haven't looked at their password or password manager system yet. So I can't say yes or no to whether you can use it or not. I use Norton. It's now called Norton LifeLock password manager. I use that on my personal. Oh, so you do, okay. For my personal stuff. It's fine. It's easy to use and it's pretty secure and quite frankly, it's free. I think I might've gotten it because of that data breach that I referred to earlier. Like I think, you know, the college was like, hey, you know, we're sorry for the breach. Sign up for all this stuff. And I did. And it was, you know, I like it. It's easy to use. It's not an enterprise solution though, right? It's for my personal stuff. And it's where I keep my bank account stuff and my frequent flyer stuff. So that's all I really have to say. Okay, it looks like we cleared out the Q&A portion here. Let me see if there's anything else question-wise in the chat. And it doesn't look like there is. I did want to close, as I mentioned earlier. Actually, somebody put their hand up. Stephanie, you're welcome to come off of mute and ask your question up in the chat. Or Stephanie, if you can toss it in the chat. Your microphones are enabled. Pre-CAP on single, single-serve, single-sign-on. Yeah, I think that's what, yes. Okay, great. Yeah, I mean, I can speak to it again. It's essentially allowing, well, you stopped sharing the slides. I thought the slides were pretty good in terms of just giving you a breakdown. But essentially it's allowing you to easily give your end users and your organization a good experience in terms of logging in, right? So it's from just a practical perspective. You have a single-sign-on provider that is attached to other web applications. Linda mentioned we use Paycom for HR things here. We use Salesforce. We use all these different applications. Instead of us having to log into each one every day or each one every time we need it, we essentially log into one system that has access, that can give us then secure access to other systems. And so it helps with onboarding and off-boarding easily. So it's not just about given access. We can also take away access pretty quickly, right? So that works both ways. And I think from a user perspective, it's so much better. I mean, I think when we implemented single-sign-on, Linda, everybody was like, elated, right? Like it's a totally different game. Ballgame in terms of logging in with one account that has access versus having to log in each time, each have several tabs, have several authentications, have several MFA experiences, et cetera. And so there's a lot of benefits in it. I also mentioned quickly that there's a flip side to that, which is you have to make sure that whatever system you go with or whatever identity provider that does single-sign-on, that you basically pay attention to the security of it because it is a one login, not a one login, but it basically one access gives you access to a bunch of other things. So the key that opens up several doors. And so with us, because of that, I'm like, we have a lot of alerting. We have a lot of policies. We have a lot of mechanisms behind the 365 account because that's the main account that will give you access and single-sign-on to other accounts. Yeah. Yeah. I mean, I can remember back when, we're tech impact, if there were only three letters that tech impact would be allowed to use to talk to anybody, it would always be MFA, right? Like multi-factor authentication. It's all I hear anybody at Tech Impact talk about with our customers about how important it is to have multi-factor authentication. And I could tell you that years ago when we rolled out multi-factor authentication internally at Tech Impact, I grabbed one of these knives, no I didn't, I grabbed a dull one, and I chased people around the office and told them to turn it off or I would stab them with a dull knife because I wanted it to hurt more. I'm from Philly, right? I mean, we do that kind of stuff in Philly. Right, not everybody does it. But like, it was the worst day of my life. The worst day of my life technology speaking was when they turned on multi-factor authentication and I had to fumble around and try to find my phone and do all this other stuff, right? The best day of my life was the other three letters, single sign on SSO, right? When they put SSO in, I was like, oh, this is wonderful, right? Because I only had to do the multi-factor authentication thing once, I don't have to do it seven different times for seven different systems. So it was terrific. Great. One thing I just, 30 seconds, just curious to get some feedback is this was brought up in a session of the future of work that I spoke at was phytokies. Like this is probably something that might be a little alien to some people and it might even be beyond like a general need, but like, is there any value in- What did you call it? I think we missed it. Phytokies or even- Phytok like the dog? Phytok, yeah. Fast ID online, like the biometric plug-in- To the little keys that you can pop into a laptop or- Yeah, okay. Or even just biometrics, like Windows Hello for Business. Yeah, yeah. I mean, is this something that you all are seeing more people adopt or- So- Any value or is it more probably work than the benefit proposition? Oh, no, no. I don't, that's an interesting way to put it, but let me just say personally, I think it's the way we should all go, right? The password less, it's basically the password less movement, right? Let's get away from these 20 plus characters, even though we just did a whole presentation on it. Like let's get away from typing in passwords and let's do a different way of authentication, right? As you said, fingerprint, biometric stuff. I have a fingerprints thing on my laptop that I'm on right now. I never type in my password. I come in, I put in my fingerprint, I authenticate again against something, again with my fingerprint. So I don't actually type in my password, unless I'm on a browser for example, which that hasn't changed yet. But yeah, to answer the question, I think it's definitely, it's been a push for a while, the final keys have been around for a while. It's interesting, because we've actually had some clients recently that have had conversations about the keys, but you're right, it's not just about the keys, it could be facial recognition, right? So a lot of your laptops are coming in, not just with the biometric fingerprint scan, but there's the webcam that can scan your face. Obviously for the longest time, I think with Apple, with their iPhone, you could do that right now, things like that. So how else can we authenticate other than having to figure out this very old process of figuring out and setting up a password that is 20 characters long? And yes, it's been the future. I think it really should, it will be the present soon. I would hope it is, if nothing else, it's a change management thing. I don't think it's necessarily a technology thing. I think that technology is absolutely already there. There's things that can obviously be approved upon, but it's a shift. It is absolutely a shift. And I think getting everybody on board with doing something other than what they've been doing for how many decades now is probably the bigger impediment, so to speak. But yeah, I mean, to me right now, and I just gave you my experience with my laptop, I don't ever have to put in my password, and so I'm kind of there already. I think there's other things to have to do after you log into your actual device. What else can you do with the web browser log into things like that? But ultimately, I am all for it if that really was the question and really moving our clients right now and just moving everybody towards that, I think is there's nothing but beneficial things in my mind when it comes down to passwordless authentication. Thank you, that's a great insight into that. Yeah, is there any like hardware limitations on that? Like, oh, you have to be on Windows 10 Pro or something like that for these things to work. I also wonder about that. Yeah, Windows Hello, I mean, there's definitely process, right? So there's Windows Hello only works with certain OSs. Obviously everything that they support, they have to be pro, you gotta be joined to Azure Active Directory, things like that. And so there's obviously some technical pieces there, but it's not something that has to be recreated or something that's not already available. It's all about adoption, as I said before. It's like, can we adopt it quick enough so that everybody can start benefiting from it, so to speak. Yeah, because, I mean, Cara's in the chat asking about, do we recommend 365 for MFA? And the answer to that is yes, if you're in 365, then you should also be adopting Azure AD and doing cloud join for your workstations. But there's a limitation to that. You have to be in Windows 10 Pro for that cloud joined and Azure AD to take effect, right? And using Intune for policies and mobile device management. This is all part of the 365 ecosystem, if you will, which requires, you have to know your licensing, basic multi-factor authentication you can do with any Microsoft license. If you wanna start to get some of that sophisticated setup that we were talking about, it requires an EMS license, right? Which is included in business premium, the EMS. But if you're in a different, you know, the enterprise versions or whatever, then you're gonna have to connect in with the EMS licensing. So there's a lot to it, it can all be done. Yeah, you're right. I think the cost is important. I don't wanna brush off that there's some costs involved. For sure. Like a lot of things I'm talking about have additional costs involved, ultimately, any vendor you're working with, not just Microsoft has, will have some type of technology like this. It's just a matter of whether it's part of the basic package, which is usually is not. And what does it cost you to go up to the next level so that you can actually adopt some of these technologies? Yeah. Right. So you do wanna consider that. You also wanna consider, I mean, we make our living on the professional services to set that up, right? So if you don't have somebody that's technically capable or, you know, familiar, I shouldn't say technically familiar with this new technology, hiring a professional to help you set it up properly and even manage it for you ongoing is, you know, it really, you really should, don't fumble through it yourself because the worst thing you can do is try to set this up and lock everybody else. All right, that's for days or something like that. Right. Yeah, this is a lot of information. It's great. It seems like covering all the bases here. So with that, taking a look at, everything looks like it's wrapped as far as Q&A and in the chat. So to you, Linda Francis, if an organization believes that it's in need for the review of its security and would like to connect with Tech Impact, how would they do it? You want to put your... Best way to do it is just linda at techimpact.org and I'll get you to the right person. Yeah, let's put it in the chat. Let's put your email in the chat. Yes. There's Austin in there. There you go. I had a pre-prepared statement so I don't want to get across. No, it's great. I mean, we have... If we had done this, if we had done a webinar four years ago, five years ago, it would have been me, Francis, and Francis would have been the security team at Tech Impact. Now we've got what? Six people on the security team. Because that's how important this is. And again, six years ago, we would have done everything custom. Now we've done so many multi-factor authentication setups and it's relatively low cost to do this because we have a process that we can take you through. We have a security assessment. It's a low cost security. We call it SecCheck, 450 bucks. Go through questions and answer and kind of get a score and some recommendations. We also have a seven or eight or $9,000 security risk assessment, which is a more in-depth thing, right? So we just run the gamut there. Don't be afraid to call us and ask us your questions, you know. Fantastic. Well, I think with that, we've kind of hit our time here and covered a lot, even though it's a small number of slides, like you said Linda, this obviously goes very deep. This is a very important subject matter. You can't escape the news now without hearing phishing, the words ransomware, et cetera, just all over the news. You're not alone in the journey, tech soup, tech impacts. We are here to be stalwarts for you. You're not alone in this. The contact information for Linda is posted in the chat. My personal email is in the chat along with the customer success team. You feel free to reach out. This is something that I think, I think people are moving a little bit beyond like the discomfort with it and recognizing that support is needed. So just, you know, if you feel it's necessary, just, you know, take that next step, you know, engage with us and we can make sure that your organization is safe and secure and this crazy new, brave new world that we're in. Yeah. All right, well, with that, we wish everybody a good afternoon, a good rest of their morning, of course, depending on where you're at. A copy of this recording will be available in the upcoming days for all those who registered to attend. So with that, take care all. See you, bye-bye. Bye-bye.