In previous blog posts I’ve made, I’ve been quick to redirect readers to other’s blogs when I see an awesome post that covers a topic I’m interested in really effectively. Today is no different, except that I’m going to share with you two posts at the same time.
Enable Password-less Sign In With Security Keys
A month or two ago a colleague showed me signing into the online Office Portal using a Yubikey – what intrigued me was not just no need to enter a password, but no need to enter a username. From this, I quickly obtained my own Yubikey, set up a demo environment and ended up demonstrating this during a presentation on Data Privacy and Security Considerations at the Independent Schools of New Zealand Annual Conference..
As I was getting on a plane this week I read Peter van der Woude’s latest post on using this technology to go a step further: signing into a Windows 10 1903 machine with a Yubikey but also managing all of this via Intune (additional information here):
If you’ve never used a Yubikey before, you essentially configure them with account credentials, which could be anything from your AzureAD username/password, through to your social media or other cloud services accounts, protect the key with a local PIN and/or biometric and you’re done. When you’ve configured a service, such as Twitter, to use your Yubikey, you’re prompted to insert the key into the device to authenticate, unlock it with your PIN and/or biometric, and the authentication is completed. The important point is you’ve never entered your username and/or password.
People often ask me, why is a PIN more secure than a password? Well, I’d suggest you read this article from The Verge, but perhaps more importantly, this documentation from Microsoft, which goes into detail on the following reasons:
Why is a PIN more secure than a password?
- PIN is tied to the device: That PIN is useless to anyone without that specific hardware. Someone who steals your password can sign in to your account from anywhere, but if they steal your PIN, they’d have to steal your physical device too!
- PIN is local to the device: A password is transmitted to the server — it can be intercepted in transmission or stolen from a server. A PIN is local to the device — it isn’t transmitted anywhere and it isn’t stored on the server.
- PIN is backed by hardware: The Hello PIN is backed by a Trusted Platform Module (TPM) chip, which is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant.
- PIN can be complex if enforced by the organisation: You can require or block: special characters, uppercase characters, lowercase characters, and digits.
Why does this matter for education?
The ISNZ conference I presented at had a theme of “The Future of Talent” and all educational institutes need to be thinking about how they’re preparing students for the workforce, and this includes actively teaching and modelling good digital citizenship when it comes to security. Of course, this extends to parents as well: my eldest daughter signed up for Instagram this week and the first action I required of her was to set up multi factor authentication.
In many K-12 and Higher Education institutes, students use shared devices and routinely enter their passwords. A Yubikey would both simplify and secure this approach. Similarly, for younger students who often find it difficult to remember a username and password combination, using a Yubikey and remembering only a PIN could be a more effective approach.
I’ve been advising customers that MFA should be seen as a requirement for any senior leadership staff, HR, Finance and those dealing with pastoral care records in education, but to further protect their identity credentials using something like a Yubikey would be a sensible approach, especially given the relatively low cost of the keys and the ability to use them across almost all online services now. I have configured my Yubikey as an authentication mechanism for:
- Microsoft Account
- Google Account
If you’re not doing MFA or would like to know more about a password-less future then read Peter’s blog and talk to your local IT Team or Partner.
User Interactive Win32 Intune App Deployment with PSAppDeployToolkit
The second guest blog post I’d like to call out today is from Stefan van der Busse and show cases his great work extending some of the advanced Win32 app deployment features of Intune and combining it with User Interaction to deliver a really slick customer experience.
Stefan’s blog post, like Peter’s, is aimed at the IT Admin, but it is focused very much on improving the end user experience by prompting them when an application is going to be installed or upgraded, giving them the option to defer the process or requiring them to quit active or dependent applications before the install can proceed:
To see it in action watch this YouTube video:
Stefan explains why this is important in his blog:
How can we provide end users whose devices are managed with Microsoft Intune (Standalone) with a better installation experience, for high user applications while not relying on them to self serve application updates using the Company Portal?
Services like this have previously been available through on premise tools such as SCCM, however the solution presented by Stefan via Intune ‘un-tethers’ the end user from the workplace, meaning these updates and installs can take place anywhere the device is connected to the internet. Education, like most other verticals, has an increasingly mobile workforce and customer base (students), so the ability to deploy apps ‘any time, anywhere’ is only going to grow.
Again, I encourage you to read Stefan’s original blog post here.
My Final Thoughts:
If you’ve not picked up on it already, I’m a big fan of Intune as an MDM for managing Windows10 in a modern way, and the two guest blogs I’ve shared today show innovative ways to improving the security and app deployment processes for organisations.
For educational institutes, who increasingly hold and manage hyper-sensitive information on students and staff, taking steps towards MFA and a password-less future is critical, and is a responsible approach to modelling good Digital Citizenship to both employees and students.
Similarly, adopting modern, cloud-first approaches to device management and app deployment will reduce costs for educational institutes whilst increasing flexibility in terms of not requiring IT Services to physically touch every device or have it on the local area network.
Lastly, I’m grateful to all those bloggers out there that write incredible posts that I can reference from my blog! Thank you!