User Authentication

Interview: Alex Weinert, Director Of Identity Security At Microsoft

Expert Insights discusses the future of identity security and the importance of Zero Trust with Microsoft’s Director of Identity Security, Alex Weinert.

Alex Weinert Microsoft

Alex Weinert is the Director of Identity Security at Microsoft, one of the world’s largest identity platforms, processing billions of user logins every single day. His team is responsible for keeping these user accounts protected against identity-based threats such as unauthorized access, account takeover, and more. Alex has worked at Microsoft for 27 years, in a range of engineering and product management roles across products such as MSN, Visual Studio, Xbox, Active Directory and more.

Expert Insights interviewed Alex to discuss Microsoft’s identity platform, the major challenges in the identity security space today, what the future of identity looks like, and how organizations can improve their security strategies by implementing a Zero Trust approach to authentication and device management. 

This interview been edited for clarity and length. You can read a summary of this interview here.

What’s your role at Microsoft, and what is your team responsible for?

I’m the Director of Identity Security, which means that I work with the team that tries to stop account hacking. We are responsible for features like multi-factor authentication, the authenticator app, conditional access and adaptive authentication, our Zero Trust platform, risk detection, and incident response for any global security issues, so we get involved in things like the SolarWinds attack. 

We are also responsible for securing the platform. We have responsibility for what we call internal security, which is the stuff that customers don’t see, like how we do background checks, and what you have to do to operate the system. We’re responsible for the security of the platform from soup to nuts, from the features for the customers all the way down to the way we implement it underneath the covers.

I’ve been at Microsoft for 27 years. Since dinosaurs roamed the earth. I helped ship the very first MSN and I’ve been in online services and distributed systems, ever since. It’s a lot of fun. Before Microsoft, I had a web hosting start-up. And I was pretty intrigued by the opportunity to kind of go big and join and help build MSN instead of my little, tiny hosting company.

The identity space is becoming increasingly competitive. Where does Microsoft’s suite sit into this broader landscape, and what sets you apart beyond being the dominant platform?

I have friends in virtually all of these companies. There are a lot of brilliant people doing a lot of brilliant work. And I think that, for those of us who’ve been identity wonks for a really long time, it’s nice to see people finally recognize the importance of it. In a world where we’ve gone through digital transformation accelerated by the pandemic, the account—the login—is the thing that gets you into all the value in the world. You literally you can’t buy a house, sell a car, start a company. There’s nothing you can do, no value you can obtain, without having that digital account involved.

As a result, we’ve really transformed the landscape in terms of the amount of value that is being offered to humans. Think about little simple things. If you go back to order food from your favorite food delivery place, they’re going to remember your last order, little things like that make your life easier. They’re everywhere. And they’re competitively essential. If you have two food delivery organizations, one of which did not remember your orders and one of which did, you’d go with the one that did. So, it’s a matter of survival stakes to do this. 

The net of this is that we’re collecting more information than ever before; we have more of a network of relationships between organizations that are digital than ever before; we have more data being collected, processed, and consumed by more applications than ever before; we have a huge upsurge in applications. And that’s all great—from an economics and world benefit perspective, that’s wonderful. 

From an attacker’s perspective, it’s surface area. There are now tons of new surface area, and there’s a huge amount of value under that surface area. The attack intensity, as a result of this, is really increasing. And the attack velocity is increasing. And in an economic downturn, there’s also going to be an increase in economically driven attacks as well. 

The thing that gates all of that value is really the account. You can have all of the security features you want, you can have the fanciest, row-level encryption with polymorphic algorithms. But if I can convince the system I’m you, then it’s game over. Because the system is designed to give you the data you’re supposed to get. So that brings us into a laser focus on the criticality of identity.

I think having that focus and driving more innovation in the space is great. In terms of what I think differentiates us, I want to be careful because, again, I have a huge amount of respect for others in the industry.

We do a lot of traffic. My team particularly does a lot of supervised machine learning work, and we benefit tremendously from the volume of traffic we have. When you’re looking for low volume, very subtle nation state-driven attacks that are spread out across thousands of organizations using sophisticated technology, having a lot of data really helps in terms of the machine learning you can do and the processing you can do. So that breadth of understanding the threat intelligence that we benefit from, and the ability to process that data, I think is a huge asset for us. 

And I think that, frankly, we benefit tremendously from our customers. We have a lot of customers in a lot of sectors, and so we get driven in a lot of ways. We have solutions that can span the spectrum from the most secure government environments, all the way down to the local donut shop. I think those are probably things that help us out a lot. 

The other thing that I think is really important is the complexity that people are faced with. When you try to roll out a security solution, you have 25 different vendors, and you have to get the data to talk to other data, and work out how to stitch in the information. Microsoft is approaching XDR essentially with the intersectionality of the data being really, really important. We can natively do things like notify the identity system if the endpoint protection system is detecting cookie tampering on your device, which can turn around and notify the application in real time. And that whole revocation path takes place within a minute.

That’s pretty differentiated in terms of the ability to create an integrated offering that’s less complex to manage, then sort of picking a bunch of things off the shelf, and then integrating them. That aspect is practically beneficial to customers who invest in it that way. And then of course, we’re very deep in the standards space. And so, we want to also create integration opportunities for customers who want to bring in whatever best of breed thing they have. If they want the best of breed and best in suite, then we want to integrate that as well. 

But I think in terms of differentiators, data volume is huge. The spectrum of scenarios that we can meet is huge. And then the integration across the platform is huge. So those are kind of the big ones in my mind.

At a high level, what are the biggest threats that you are seeing in the identity space today? 

In a practical way, even though this is not a sexy answer, the threats that we were facing ten years ago are the dominant threats that we’re facing today. I’ve been in this fight for a long time, and if you go way back to 1995, when we were building Active Directory, the mental model was that you should have a complex password, and you should have this policy. And it was: “Oh, by the way, this new this new-fangled internet thing, if you have to connect to it, just put up a firewall.”

It was an M&M model: there’s a hard, crunchy exterior shell, and a soft, chewy internal center. That’s a beautiful playground for attackers. They can put malware on your machine—and malware is always just one click away from a user—and your VPN means nothing. And now they have command control inside your network. So, your network controls to stop mattering altogether. 

And then password rules. We’ve done studies on this. The most common password policies that enforce uppercase, lowercase, numbers, and special [characters] guarantee that you’re going to have one uppercase letter, four to six lowercase letters, followed by two to four numbers and an exclamation mark. Always an exclamation mark, not anything else. So, if you make that a rotating thing, every quarter, then right now you’re going to have: Summer2022! And when you have rules like that, you have to assume that the adversary does the recon, they know what your rules are. And then they’re going to build their attacks based on what your rules are. 

The standard efficiency of a of a password spray attack is about 1%. For every hundred accounts I attack, one will have one of these super guessable passwords, and a password spray attack maybe uses seven to ten passwords in a single attempt. So, if a password spray attack uses the most common password, like Password123! or Summer2022!, and tries that against one hundred thousand accounts using the old password rules system, that’s it. It’s so easy. 

And then you also have phishing attacks and password reuse. Those three things: password spray attacks, phishing, and password reuse, are responsible for literally millions of compromised accounts every month. And it’s all because these are systems that are using twenty-year-old rules and they’re ignoring the new guidance around dictionary tracking, and they’re not using MFA. 

MFA would stop all of those attacks. So that’s the unsexy answer, which is basically it’s the same old, same old. It’s password-based attacks that are the number one threat. And even the most advanced attackers do that stuff because it’s so easy to do. The tools are so well known, and the vast majority of organizations are not embracing current guidance. 

Look at multi-factor authentication as the baseline. I’ve written about it; everyone has written about it for fifteen years. We’ve been saying this is what you have to do. In the consumer space everybody has to do it, and they have had to for ten years. But in the enterprise space, we’ve basically been begging people to do it. And then we turned on this thing called Security Defaults. 

Security Defaults mean that every new organization that comes into AzureAD is going to come in with a security baseline that assumes they’re going to do multi-factor authentication and that they don’t do insecure protocols. There’s just a set of basic hygiene rules applied. And most customers leave that turned on. 

With the help of that program, the pandemic moving people home, getting more nervous about security, and then another big boost right now from cybersecurity insurance —your premiums are lower if you do MFA—all of those things together pushed us up to a whopping 25% adoption for MFA. 25%! It was less than 1% when we started measuring in 2017, and it’s up to 25% now. But that’s terrible! So, if I was an attacker, why would I bother doing anything else? It’s so easy. 

That said, the emerging threats are primarily on the three vectors. One of them is various forms of MFA bypass, the dominant one we worry about is token theft. The way multi-factor authentication protocols work is that, once you’ve been introduced to an application, it may place a session cookie on your machine that allows you to continue. If an attacker picks up that session cookie and moves it to another machine, all of the rules that were in place to get that cookie are irrelevant, and you have a problem. And there are various types of cookies that can be stolen. So, attackers are looking at cookie theft as a way to bypass good security. So, endpoint protection actually becomes more important, because you’ve got to keep that malware off of your machine.

There are also things like machine-in-the-middle or adversary-in-the-middle attacks. This is where you trick someone into clicking a link, and then you have a machine in the middle to steal data. For things like that, you need technology like FIDO and Windows Hello. There’s a bunch of technologies that are not phish-able. The Executive Order On Cybersecurity requires this kind of thing so you can’t have an intermediary that intercepts the authentication pathway. 

And then there is MFA fatigue. If you have approval mechanisms like, “Pick up your phone and press one to approve,” attackers can just wear you down. They’ll call an employee over and over again, until finally they say, “Yes, just make the phone call stop!” 

Those are three of the MFA bypass things that I think are interesting. The second vector that’s really important to understand, is application attacks. We were talking before about how we’re moving so much data to the cloud. The net of that is that there are more applications, and applications have identities too. They have authentications too. 

Unfortunately, there’s a lot of issues here. Developers might chuck the credentials in with the code. And the net is that attackers have figured out that if they want to get to the data, they can get there via the application, which can’t do MFA. I think that that vector is increasingly important.

We’ve done a bunch of work recently to extend all of our protections and all of the configurability—I think we’re the only ones doing this right now—for all the workload identities. We have all the protections in place, and that is really important. 

And you asked about differentiation; the reason that that work got started was actually not SolarWinds, it started with customer demand. So, when the SolarWinds attack hit, we were able to drop it pretty quickly. That is a good example of us having all of these customers that are pushing us hard, and being responsive to that. And that helped us a lot.

But the application-centric stuff is really, really important. The other place it comes in is that, if an attacker can get you to give consent to an application, you are bypassing MFA rules. Because it’s actually the user that is fully authenticated. And then you can give applications permissions to corporate data. 

And then finally, I think, and this is probably the hardest one to deal with: supply chain is a thing. Attackers, especially sophisticated nation-state attackers, have figured out that it’s a whole lot easier to compromise one organization and then be able to pick from the 100,000 organizations that they support. SolarWinds was an example of this. You compromise that infrastructure and then you have access to all these customers. 

We see it in the vendor space a lot. Many organizations don’t have the staffing to go and run backups and network traffic analysis, so they hire a third-party company. But if you don’t understand the security posture of the company you’re hiring, the account that is coming into your system might well be a compromised account.

So, if you want to lose sleep at night, those are the ways I could have you lose sleep. MFA bypass threats, application threats, and then supply chain threats. Those three, I think, are the big ones right now. 

Again, practically speaking, your organization is probably not getting compromised in these ways. It’s getting compromised because you have archaic password policies and no MFA. If you fix the MFA problem, then you have to worry about the other problems. Until you fix the MFA problem, you might as well not worry. Because it’s like you have the barn door open and you’re worrying about how good the lock is on the side door. It doesn’t matter.

You talk about only 25% of organizations using MFA—despite all of this push in the industry, why do you think the adoption rate is still relatively low, although a lot better than it was? What more can we be doing to encourage people to use MFA?

I think compassion is important. Organizations have tight budgets and lots of priorities. They have executive pushback, and they tend to be resistant to change. 

Also, I think there are a lot of outdated impressions of what MFA means. Some people think of MFA as a terrible user experience. 

Multi-factor authentication is generally considered to be a combination of three factors: something you are, something you have, and something you know. For me to get onto the laptop I’m on now is extremely secure. It’s FIDO-based, with Windows Hello. The camera sees my face and does a biometric handshake. Biometrics, plus possession—I have the laptop—that is my multi-factor authentication. It’s really, really easy. 

For the organizations that aren’t doing this, the perception is that you have to type in your password, then you’ll get a phone call, then you have to take a phone call again, and again, and again. But that’s not actually the user experience for modern MFA. It’s extremely low friction, and I think that perception problem—that fear of friction—is a huge part of it. 

In a world where everybody—from Google, to us, to Twitter, to whoever—is doing MFA as a matter of course, users are used to MFA. And the technology for MFA has gotten much lower friction. So, I think that fear is unfounded now, but it still exists. So, limited budgets, the ability to adopt change, and fear of the friction are those are probably the big things that create resistance.

Now as an industry, we’re trying to move away from passwords altogether. It turns out all password attacks fail if there’s no password. So, moving to things like the FIDO standard. The FIDO standard is cool, in part because, as well as being cryptographically very strong, it allows for many different form factors. 

And Passkey is going to bring the FIDO standard to mass market. Every single phone in everybody’s pocket is going to be a FIDO key. And it’s going be well-integrated into the operating system experience.

As a result of that, I think we can see probably a mass market shift away from passwords as the first step altogether. The Cybersecurity Executive Order in the United States is also helping, and the NCSC in the UK also provides guidance that moves us away from passwords. So hopefully, we actually don’t get everybody to adopt password plus MFA. Hopefully, we get ready to actually switch to this single, passwordless thing. 

Think about signing into your phone every day; whether you use a fingerprint or your face, it’s really easy. It’s also really secure. There’s no password in that flow. It’s lower friction, it’s more secure, that’s where we want to go. I think the consumer push will really help us. 

And really, speaking as one of the handful of people in the world that knows this well, you can’t secure your assets with a password. You just can’t. 

Every single aspect of the password, the guess-ability of it, the intercept-ability of it, the crack-ability of it, the human sociological behaviors that drive commonality in the way passwords get picked, are just super bad. 

If you have a system that will only accept passwords, a password generator is great. As a consumer, that’s good for you to think about. But for the mass market, most people just think it’s a new piece of technology they have to learn. That’s easier than learning how to use a password manager—and we offer one, and I’m proud of it, I love it—but it’s for use until the applications have converted over to accept modern credentials. 

And I think there’s huge help on the horizon. The work that is going on right now on the phones, by our collaborators and sometimes competitors, Apple and Google, is really promising. And we’re doing it in Windows as well, where you can essentially have a token—your phone—and you can sign into your session with that token. That changes the world in terms of the ease of use and the security. It’s just a much better position to be in.

Broadly, where do you see the direction of travel for the identity space? You’ve already mentioned FIDO technologies and passwordless, is there anything else you would highlight?

We just did a big announcement about Entra. Entra is a response to this massive digital transformation we’ve had, where we’ve moved most of our processes into the cloud and so now everything is around digital relationships. Those digital relationships can be like government to citizen, they can be business to client, they can be business to business, they can be business to employee. There are lots of these relationships that exist and many of these require more than a single source of trust. 

The old model was to have Active Directory in your domain environment, and that was your identity world. Now we’re in a world where all these systems have to talk to each other. So, increasingly, the model is, how do we think about having identity systems that can model the sophistication of real-world sociological and business interaction? And there are also practicalities, like everybody is multi-cloud—no business runs on just one cloud. 

From a security perspective, it’s having the tools to reason over what is privileged in this environment, being multi-cloud and multi-environment, but still doing privilege and entitlement management in that space. 

From a consumer perspective, think about digital onboarding, and having the ability to say that I am who I am to many different parties. I’m a diver, I have a dive attestation card in my wallet. I can go to a scuba shop anywhere in the world and choose whether to show that card. I can also choose not to show it— – I can choose who gets to see it and who doesn’t. That one attestation from the scuba certification authority is usable in multiple different places on my say-so. 

We don’t currently have that model for our digital identities. We don’t have this model like a state-issued driver’s license, where you can choose to show that you are old enough to buy beer. That system is missing. So, one of the things we’ve launched with Entra is VerifiedID, which is essentially decentralized identity. It’s all about the holder or the bearer of the credential having a lot more power about when it is revealed, and the user always having present and verifiable credentials. And it unlocks amazing scenarios. 

There are the basic use cases. Like, if I need to onboard an employee I haven’t seen in person, they can present a digital identity. Or, if I’m travelling and I lose my laptop, and I need to get set up with a new FIDO token and a new laptop, I can use my digital identity as part of that process. Where it gets more interesting is where you get into zero-knowledge proof. So, if you’re a surgeon and you need to go and operate, and you need to show that your medical license is valid. Or, if you’re the radiologist, and you need to prove that you know how to use the machine correctly. Those things all become part of the authorization flow. 

It feels natural. When you sign into these systems, when you go to do these tasks, you’re showing that the certification is current, and you’re choosing whether to show it. If you’re a doctor working at multiple different hospitals, you can go from hospital to hospital and decide when to show that credential. I have one issuing card from the training authority and I can choose where to show it.

In manufacturing or business to consumer situations, you can prove you’re allowed to export whatever you’re exporting. For business to business, if you’re working on a project, you can show you have an attestation from the airline manufacturer for example, if you’re an airline engineer. These attestations are incredibly valuable and important and really raise the bar in terms of the way we can model natural human interaction into digital identity systems. That’s another major thing I think is super important. 

So, it’s the security piece and then, almost from the other end, it’s  interacting with these systems as in individual human in a much more natural, privacy-preserving way. 

And then the last thing about these verifiable credentials is that, as a consumer of those credentials, we don’t store anything. We don’t have to store your address or your phone number or any of that stuff, which is toxic in the world of privacy regulations and data locality. We can empower the user to carry out for themselves. 

Entra is really speaking to this theme, which is that identity is far more important now than just signing in. It’s about how we go about our daily lives and how we interact in our businesses. And we need the tools that reflect that sophistication. It needs to be simple to use, natural to use, but also needs to respect the fact that our digital identity now is about the relationships we have with multiple different people, as a business user or as an end user. That’s where the future is going. And from a security perspective, it’s essentially the same thing. Security has to tie in all those signals and give you the power as an individual to say: “I have the tools I need to make good decisions about the security of my organization.”

My final question is around Zero Trust. We hear a lot about Zero Trust in the industry today, but many organizations struggle to define what it should mean for them in practice. How important is the concept of Zero Trust to Microsoft, and how can organizations really get started with this framework?

We’re very deeply invested in this area. We talk about it a lot, and we argue a lot! One interesting way to think about it is that Zero Trust is really about proactive security. It’s about the things you do before bad things happen, to keep the bad things from happening. And the principles are very simple. It basically says that, if you care about an asset, before you let someone have access to it, you need to verify that they are who they say they are, and they are coming from a device that you trust. And you need to make sure they can only do what they’re supposed to do, so you have a least-privilege access model. 

So, the first thing is explicitly verifying every request. The second is asserting a strong least-privilege access model. And then the third one, and this is the least comfortable, is that you have to assume that bad things will happen anyway. And you have to assume your security team is tired and overwhelmed, so you have to invest a ton in automated response. You really want to think about automatic detection, automatic mitigation, and automatic containment. Because there’s a global shortage of about 3.7 million cybersecurity professionals. In the United States the shortage is around 700,000.

So, those are the three core principles of it. When you think about how to implement that in a practical way, there needs to be a way to intercept requests, to evaluate those requests in a rich way, against policy, and then ideally to use that policy decision point to trigger policy enforcement. And the evaluation might stop the request right there, or it might allow you to access a resource but not download the documents or give more granular controls. 

Generally, the farther you can extend the horizon of enforcement, the farther you can extend the horizon of productivity. In other words, you can say: “It’s okay to work from home, because I know you can’t download documents. But if I don’t know I can protect you from downloading documents, I don’t know if I can let you work from home at all, because I don’t have the controls to make it safe.” Controls make things safer, like guardrails on a highway let you go around the corner faster. 

In our world, the center of that is identity. If you think about single sign-on, what happens is you go to a resource and say you want to get in, and the resource says you can get in if the identity provider says so. And at that point, the user, the client, the network is provided firsthand to our policy evaluation, the Zero Trust engine. It’s about to look at that request, interpolate our threat intelligence data and machine learning, and give you an assessment on the risk threshold based on the user role, types of devices, network. And there’s a whole set of policies where you can say, “This looks good, let them go on,” or “Limit the downloads.” 

That’s the model you can get into. The core is, you never give access to a resource until you have evaluated the requester, and that you’re doing the least you can do in terms of privilege. You can do that by forcing users into a network, and egress from the network requires a policy check. You can do it by putting an agent on every single machine, and not giving access to resources without the agent. You can do it in lots of different ways. The way we do it is through identities, which is super convenient because you don’t have to put those agents on every machine, and you don’t have to change the apps. 

Tying it all back to the very beginning, we’re in a world where MFA adoption is hard for people. When we talk about Zero Trust, it’s actually maybe most valuable to simply say: every request to any resource you care about needs to use multi-factor auth, and needs to use some sort of device management. And you can almost say that is Zero Trust. For the mass market, for the vast majority of people, if we can get them that far, we’re blocking north of 99.9% of the attacks. And then we can start the conversation where we can get super sophisticated about bringing in insider attack protection, or data protection, or whatever. 

All that stuff is possible and exciting and cool! For most organizations you want to just want to say, Zero Trust means use MFA and make sure you’re on a managed device. Get those two things right and you’re so far down the path. Every single application access should be through single sign-on, I would say single sign-on is a very easy way to do this. Put your policy checks in the single sign-on and make part of that policy check the requirement that device has current malware protection—you don’t need to own it, but you need to know that it’s safe. 

If you did that, you’d be massively down the road in terms of getting started on Zero Trust. For the average person, that’s the answer. Zero Trust equals strong device, strong identity. That’s it.

Find out more about Microsoft Entra and Microsoft’s suite of identity and access management solutions here: /security/business/identity-access/microsoft-entra-verified-id