Et si demain nous vivions dans un monde sécurisé et sans mot de passe?
Ai³ est un acteur incontournable de l’intégration de l’ensemble des technologies digitales dans le monde professionnel. Olivier Lepeltier, directeur de l'innovation d’Ai³, et Fabien Balny, responsable des alliances stratégiques d’Ai³, ont rencontrés Joy Chik, vice-président de la division Identité du groupe Microsoft + AI group.
Voici la version éditée de l'interview en anglais :
I imagine that being CVP for identity is very challenging. Could you tell us what keeps you up at night?
It is indeed very challenging, and a number of things keep me awake at night:
First, I’m responsible for ensuring that companies have full trust in Microsoft’s identity and access management platform and that consumers have full confidence in Microsoft’s services. My team manages over 1 billion commercial identities through Azure Active Directory (Azure AD) for 20 million organizations worldwide, handling 25 billion authentications daily. We also manage billions of identities used by consumers for Microsoft services such as Windows, Office 365, Outlook.com, Xbox Live, and Bing. That’s a lot of responsibility.
Second, my team is on the front lines, defending against attackers who are trying to stop businesses and institutions from doing their work. From critical infrastructure to the corner store, we are focused on protecting our customers. We’re working hard to eliminate risks for businesses, but keeping people secure is just as important. Bad actors are also trying impact elections and democracy itself by masking their identities and manipulating information. The stakes have never been higher.
On the bright side, running identities is also fun when it’s done right. We can delight end users when we help keep authentication secure and simple so they can be productive and unleash their creativity. Customers also have a better experience when they feel their privacy is being respected. In our view, privacy is just as important as security.
Could you explain like I’m 5 years old: why does identity in the workplace matter?
To explain identity to a 5-year-old child, I would use real life examples from her world. You use Xbox, right? You use Minecraft, right? Before you can play, Minecraft has to know who you are, so you can get your points and collect a lot more. These are your points, so Minecraft has to make sure no one else pretends to be you and messes up your game. That’s what I do: I make sure that you and only you can access your Minecraft profile.
If I’m explaining my role to a teenager, I use the example of securing a house. The front door lets you gain access to your house and everything kept inside, like family photos, financial records, or your personal diary. To go through your front door, you need the right key. You keep your key secure so no one else can get inside your house and gain access to your personal belongings. I do exactly the same thing in business: I help make sure that the front door to your house is secure and that no one can get inside to spy on, steal, or destroy your personal information. In business terms, I help make sure that only you can access your files and Microsoft services.
Speaking of children, we as Ai³ contribute to Code.org’s “Hour of Code” program. What do you think about that?
I think it’s great. Microsoft is a corporate partner of Code.org, and I’m personally a member of the board of trustees for a US organization that advocates for women in tech and focuses on raising the next generation. Coding skills are a “must have.” Every single company undergoing digital transformation uses code every day. That’s why it’s so important that we develop and support programs like “Hour of Code.”
In your view, what are the primary security threats/challenges that companies face today?
The sophisticated nature of cyber-attacks today means that no company can afford to live in a purely on-premises world anymore. Why transition from traditional ways of doing business to one that’s fully digital, as well as 100% online and “cloud friendly?” In a word: security. Security can be more powerful in the cloud than on-premises. Our job is to help our customers understand the need for cloud-based security more deeply and to give them the simplest ways to undergo the necessary transformation. That said, we understand that no customer can make switch from on-premises to the cloud overnight. Most are living with heterogenous, hybrid systems that grew over time. That’s why our solutions span on-premises and cloud, and why we support open standards to make it easier to integrate applications, third party security solutions, and other identity providers.
What important steps should security leaders start to take to better protect their data, lower the risk of cyberattacks and enhance employees’ experiences?
In my session at Microsoft Experiences last year, I mentioned that 81% of breaches involve passwords that are weak or stolen. So, the first step to better security is to better protect the identities of your organizations’ users.
If I could convince people to do just one thing, I would say, “Turn on Multifactor Authentication (MFA)!” Just doing this will lower the risk of breaches by 99.99%. This is the same for consumers and for enterprises. Everyone should use MFA.
In terms of improving the user experience, the real point of differentiation for Microsoft is identifying when an environment is safe enough that we don’t need to require MFA when a user tries to access an application or document. We’ve made a major investment in this kind of “adaptive authentication” with our Azure Active Directory Conditional Access feature. Most of the time, you shouldn’t be prompted to authenticate by MFA. In riskier scenarios, such as when a user is travelling and tries to connect via an open network in a café, the system will request MFA. People don’t want to go through an extra step every time they try to access a resource, so we only make them do it when there’s a perceived risk. This improved experience should increase adoption of MFA and other security controls.
Why transition from a very password-focused authentication to a password-less one?
No matter how complex password rules are, passwords remain insecure. When you impose a lot of rules for setting a password, you’re just feeding your algorithm to hackers. Furthermore, complex passwords are hard to remember, which encourages people to adopt the bad behavior of using the same password across multiple services.
If one service leaks your credentials, you can easily become a victim across other services. The only reason we use a password is to identify a specific user. If someone has stolen your password, they can identify themselves as you. With the Microsoft Authenticator mobile app, instead of a password, you provide two factors of authentication to make a secure connection: something you have, which is a mobile phone, and something you are, like your fingerprint or facial recognition. There’s no password to steal or remember, and it’s more secure.
The fingerprint and the face are biometric data. Do you think we can guarantee that personal data are protected and well managed?
We don’t use or publish biometric data, like a picture of your face, as part of authentication. The Microsoft Authenticator app running on the device takes biometric measurements and puts them through an algorithm to create a unique identifier that’s stored locally on your device. The app uses the same algorithm to process the biometric measurements of the person trying to authenticate, and then compares the result. The only information we send to the cloud is “match” or “no match.”
Because your biometric identifier stays on the local device, it stays with you and you have control over it. That’s where we believe privacy is going. We want to empower every individual to own their personal digital data as they work to be more productive and achieve their goals. To enable this, Microsoft is working on decentralization of identity. When we say “decentralized,” we mean that no central organization or institution owns a user’s digital identity. The user owns it. With a decentralized identity tied to a blockchain ledger, we can create a kind of passport that every organization or government can access and trust to recognize you. You decide who can share your information and what they can share. You can decide that the relationship is over and revoke permission at any time. To ensure that this decentralized digital identity is secure, we’ll rely on password-less authentication.
According to you, what is the future of digital identity and how do you define it?
We believe the future will be about decentralized identity. We’re building support for decentralized identity into our platform so our partners and the developer community can leverage it. For example, we recently announced that we’re partnering with Mastercard to decentralize their identity solution. Mastercard needed a way to securely connect with their customers and give them full power and responsibility over their own digital financial information. The idea is that individuals and organizations will interact and collaborate over how personal information gets managed and used.
How do your teams work to build this vision and to leverage the new solution? Do you work with some academia, researchers…?
Microsoft is contributing to the ID2020 platform, which is based on open industry standards. The goal is to give each person a digital identity they can use to access credit, find employment, or seek asylum. This would really help refugees, for example, which is why the United Nations is involved. But we have to be very careful, because we don’t want anyone’s information to be misused.
It’s a complex project that requires alliances across many different entities using many different platforms. We need to use common protocols and open standards to bring all of this together.
Having a single decentralized identity linked to a blockchain is a long-term vision. In the near term, we’re working to connect the different identities and individual uses. LinkedIn provides a near-term example of this. You can link your LinkedIn profile to your Azure AD account. A business colleague you’re going to meet with can then look up your LinkedIn profile via Azure AD. This lets them get to know you in advance so you can have a more productive meeting and deepen your personal connection. This integration lets you leverage your professional graph in new and exciting ways. For example, you may get a notification saying, “A person you’re meeting with went to the same university.”
We use similar Azure AD integration with GitHub, so that GitHub users don’t have to create a separate identity.
For Artificial Intelligence, Microsoft has a partnership in France with INRIA. Do you have similar partnerships with French academia or researchers related to security?
From an educational perspective, École Pour l'Informatique et les Techniques Avancées (EPITA) has sponsored a lot of programs in identity and access management and security for services. Several technical universities offer cybersecurity programs that teach students about Active Directory and Azure AD.
We’re sponsoring several initiatives to support security researchers in France and are working with major partners to build a community of security professionals.
You said that you would probably have several solutions to manage identity and enable interconnection and transfer of personal data from one identity to another. Do you think standards will help with this?
Certainly! The solution lies in a common strategy, based on open standards, for identity and access management. I don’t think Microsoft creating multiple identity management solutions is the right approach. That would add complexity and create gaps that make it harder to share and use information. The real question is how we enable trust between identities to manage access control:
- Between your professional identity (LinkedIn) and your work identity (Azure AD)
- Across multiple applications, with a consistent consent model
- Across diverse organizations, whether business-to-business, or business-to-consumer
The cloud is diverse. Customers need the ability to integrate security solutions, including at the identity level. The best way to do this is to embrace open standards, so Microsoft supports and contributes to a number of open standards working groups, including OAuth, FIDO 2.0, and SAML. We want to make sure our customers, and partner providers like Ai³ who support them, have the flexibility they need as they chart their own path to digital transformation.