Passwordless Authentication Introduction

The Secret Double Octopus passwordless authentication platform is a highly scalable, reliable and easy to use system designed to help organizations large and small increase their security and improve their end user experience.  Direct Business Technologies is a strategic partner and integrator of the Secret Double Octopus platform.  You can find additional details about our passwordless authentication services here.

The Secret Double Octopus platform eliminates the need for users to enter in passwords across the enterprise.  Secret Double Octopus provides many integration capabilities for organizations to integrate applications and authentication flows into the passwordless authentication process.

Common integrations for passwordless authentication:

1. • Windows, Mac and Linux Desktop Login
2. • VPN Authentication
3. • Run-as Admin Operations such as PowerShell
4. • Remote Desktop with NLA support
5. • SSH Authentication
6. • Web based Single Sign On (SSO) based applications via the SAML 2.0 Protocol (Microsoft 365, Okta, Google Workspace, CRM platforms, Helpdesk systems, etc)
7. • VDI Platforms such as Citrix, VMware, and Parallels
8. • Microsoft Exchange On-Premises
9. • Custom/Legacy application integration
10. • Air-Gapped environments such as SCADA networks

Benefits of going passwordless:

• • Increased security by eliminating password reuse
• • Increased security by enforcing multi-factor authentication on every authentication
• • Increased security by implementing phishing resistant MFA
• • Regulatory compliance for various standards including PCI-DSS, HIPAA, SOX, SOC2, CMMC, DFARS, FedRAMP, FTC Safeguards
• • Reduced helpdesk call volume – on average, customers reduce their helpdesk support calls by 30% due password reset and account lockout tickets virtually disappearing
• • Improved employee morale – removing barriers to performing employees jobs improves employee satisfaction and leads to employees retention rate increases
• • Improved employee productivity – Employee productivity increases are common after passwordless authentication implementation due to less time spent on support calls getting passwords reset and accounts unlocked

Let’s dive into what passwordless authentication from Secret Double Octopus provides for organizations big and small.  This blog post is focusing on providing an overview of the end user experience for Windows Active Directory domain-joined machines.

We will be reviewing the Secret Double Octopus authentication platform with server version 5.8.2 in this blog post.

The End User Experience

Seeing is believing!  Below are two videos and details of these configurations showing typical authentication scenarios within the Microsoft Windows operating system.

Domain-Joined Workstation Login Experience

This video provides a quick demo of the end user experience to log into a domain-joined Windows machine using passwordless authentication from Secret Double Octopus.  Below the video we go into details on what is happening under the hood.  The steps to login are easy:

1. 1. Enter your username
2. 2. Select your authenticator (if applicable)
3. 3. Approve push notification
4. 4. Supply your biometric, faceID, or phone passcode to your mobile device
5. 5. Get signed in (note, the video below showcases an adaptive MFA process for first time login which adds an extra step)

Run-As/CredUI Prompts

This video shows the authentication experience for run-as operations and remote desktop NLA prompts.  The Secret Double Octopus credential provider invokes anytime the operating system invokes an authentication prompt.  In this example, I am logged into my demo machine as user ‘DBTLAB02\justin’ and will be running powershell as admin.  This will showcase SDO protecting CredUI prompts and that SDO can support multiple accounts on the same mobile authenticator app.

1. 1. Select Run as (Powershell as Admin in this example)
2. 2. Select authenticator, if required
3. 3. Approve request on mobile authenticator
4. 4. Supply biometric/faceID/phone passcode

Authentication Flow

Wondering what exactly just took place in the above videos?  Here is what is happening at a high-level in the authentication flow.

1. 1. User enters in their Active Director username to the Octopus Credential Provider
2. 2. Username is sent to Octopus Authentication servers to be authenticated
3. 3. Octopus server checks if the user is a member of the Active Directory Authentication service and processes authentication accordingly
4. 4. Octopus server sends push notification to end users registered mobile device/Octopus Authenticator app
5. 5. End user approves the authentication on their trusted device (First Factor) and supplies their Fingerprint/FaceID/Passcode to confirm their identity (Second Factor)
6. 6. If required, SDO will change the user’s password in Active Directory, otherwise it sends the stored credential from its password vault down to the workstation
7. 7. The password is decrypted using the machine certificate private key and inserted into the Windows Credential Provider in the background and the user is logged into their machine

What the Heck?  It’s Changing My Password?!?

You got it!  From a workstation logon perspective, Secret Double Octopus acts as a very sophisticated password manager and vault (this is the easiest way to describe it).  To provide the greatest level of flexibility and integration with on-premises and legacy based applications, SDO is maintaining the use of passwords on user objects within Active Directory.  When users log into their domain-joined machine through SDO for the first time, the platform will take control of the users credential and set a new password in Active Directory.  Once the password is changed in Active Directory, this password is then sent down to the users machine and inserted into the custom Windows credential provider in the background, completely seamless to the end user.

Before user credentials are changed, the following conditions must be met:

1. 1. The user’s machine has connectivity to an Active Directory domain controller (Otherwise how would the machine validate the new credential?)
2. 2. The user’s current credential in Active Directory is older than the age of the password policy setting in the directory settings of the Secret Double Octopus directory configuration
   OR
   The user’s account has been flagged to force password rotation at the next logon by an administrator
3. 3. The authentication being performed is going through the Active Directory Authentication service in Secret Double Octopus (Basically, a logon to the computer, not a SAML or RADIUS server)
4. 3b. There is an option to allow an LDAP based application authentication to rotate passwords, there are specific scenarios to use this, but that is out of scope for this blog post

Password Policy

Password rotation for end users is controlled by a password policy that is unique per directory within the Secret Double Octopus platform.   The password policies within Secret Double Octopus determine how often a password is rotated, how long to set the password and what type of characters to use.  This password policy must meet the minimum requirements within Active Directory.  If your AD policy requires 14-character passwords, you must set the password policy within the SDO directory to be a minimum of 14-characters, or the password rotation will fail.

Authenticator Options

The Secret Double Octopus platform offers a wide range of authenticator options to provide the most flexibility possible for your organization.  There is no additional license required from Secret Double Octopus to utilize these authenticator options.

That’s a Wrap!

Thanks for reading!  We hope that you found this post showcasing passwordless authentication for domain-joined machines helpful.  If you would like to get a personalized, in depth demo of the platform, feel free to reach out to us via our contact page.  If you are an existing Secret Double Octopus customer and would like to discuss our services, please let us know!

Feel free to browse additional blog post content here.