Vlog: Why 1Kosmos and Microsoft Entra Are Better Together

Hello everyone, I’m vikram Subramanian, Vice President of Solutions at 1Kosmos. Just lead a bunch of mad scientists who put solutions together. So Rob, excited to be here.

Yeah, have a listen, I’m glad that you could take your time away from holding this place up to come and talk to us today. So Vik, today I want to talk to you a little bit about Microsoft. So I think as we know, as an industry, Microsoft is in about 98% of all Fortune 2000 organizations, they’re everywhere. And traditionally, they’ve been on-prem, over the last number of years they’ve been moving into the cloud with Azure, which has now been rebranded to Entra, or Entra, and Entra ID. So in that transition, it was difficult to connect into the Microsoft stack. But they’ve recently made a couple of changes that now enables organizations to become an authentication method into these platforms. So why don’t you tell us a little bit about what’s going on in the Microsoft world and what that means to us as an industry?

Absolutely. So, Entra and Microsoft have really become partner-friendly now. I think a lot of our clients have been requesting Microsoft to do this for quite some time. The primary use case has always been that a lot of our clients want their single sign-on solution to be Microsoft Entra. With the movement of Active Directory from on-premis to Entra, then at that point in time, they want all of their users to come in, go and jump off into other applications through Entra.

However, we as 1Kosmos have always been advocating for passwordless authentication. Users every day, yes, passwordless is great, but you can’t move all users with a snap of a finger. So what do you do? You have to slowly start migrating them. This was not possible earlier. The only MFA factors that were possible to introduce to the end user was a select set of vendors, Microsoft themselves being one of them, and it was a difficult proposition for our clients to combine the usage of Entra as well as 1Kosmos.

So now, with external authentication methods, what they have done is they have allowed for external vendors to come in and offer up their MFA solutions as one of the options and really provide Entra administrators an easy way to configure this into their platform. And it’s all standards-based, so which means, now end users can do the first factor authentication in Entra, do the second factor in 1Kosmos, and off they go to the applications that they want to go ahead and authenticate into.

Secondly, the other big thing that has come out, of course, that is very interesting to me, so if you have a Windows 11 machine and a certain subscription of Entra, that point in time, what Microsoft has enabled is the web sign-in method. With 1Kosmos supporting standard federation protocols like OIDC as well as SAML, what you have the capability of doing, is now doing QR code based sign-in natively in Microsoft without installing any agent on the endpoint. So it’s agentless, passwordless authentication that 1Kosmos can offer through our integration with Entra.

Well, that’s pretty exciting. So, that’s a substantial shift in what we’ve seen over the last number of years, specifically with Microsoft, and then even within our customers themselves. So Vik, what happens if an organization has Entra and an on-prem AD? Do those two things work together easily? Is there one authentication method from Microsoft that organizations can use to leverage that, or is there a different way that organizations have to go about doing it? And does this help them in that hybrid type environment, that maybe some organizations are in, as they move things to the cloud?

Correct. Yeah, I think the biggest usage of 1Kosmos is going to be for organizations that are stuck in the middle now. I mean, they have regular on-prem AD joined machines, they have a hybrid Azure AD or hybrid Entra AD joined machines, as well as pure Entra joined machines. So the combination of this environment presents a number of challenges for them to offer a unified experience to the end users. Don’t get me wrong, experiences can be offered individually, and just by retaining all the methods that Microsoft can offer. But if you want to perform or provide a unified experience across your entire user population, that’s where 1Kosmos comes in. And we provide variety of methods of integrating with Entra.

So primary method is, we can become the IDP within the organization, get all your applications, retain your investment in Entra, get all your applications embedded within Entra and integrated with them. And now, our latest update, we have support for the WS-Fed protocol, which is a legacy protocol that Entra requires, and we are able to support that, which means that now you can run conditional access within Entra, but really, offload the authentication to 1Kosmos, where the user can do passwordless and password and OTP-based authentication through our 14 different factors that we offer.

Then along with that, what we also support is on-prem Active Directory joined machines, where our agent can be installed and users can do passwordless. For hybrid Azure joined or pure Entra ID joined machines, you have the web sign-in method and the users can utilize the same QR code. So unified experience, log into the workstation and the same experience can happen on the web also. This means what the end user has is a single experience, single place to go to do everything and a single authenticator to use for everything, which means less help desk tickets, right?

Yeah, absolutely. So let’s talk a little bit about the everything. So when you look at enterprises, we know that they’ve got, obviously Windows machines, I’m sure they’ve got Mac, Linux, they’ve got a variety of different, maybe VPN, they may have other things that maybe don’t have Microsoft in front of it, in terms of what a product is. So with what Microsoft has done, does that now enable Microsoft to authenticate more easily into them, or is it still the Microsoft’s capabilities are still fit for the Microsoft products, but anything outside of that is still a bit of a problem so you still need that standardization in terms of experience and capabilities to fulfill, maybe some of those gaps that Microsoft might introduce?

I’m very sure that folks are going to read the latest blog or the white paper that you’re going to put out, Rob, on this. But the core of it is, really, I think where 1Kosmos fits in, is everything within the Microsoft ecosystem utilize Microsoft. And I think, integrate your applications with Microsoft, we’re not going to challenge that. And the idea would be that to authenticate into the ecosystem of Microsoft, you can utilize 1Kosmos. Why? Well, there are things that you cannot do with Entra, that you cannot do with any other single sign-on solution out there, which is to integrate with legacy applications such as Radius applications, or VPNs, or Linux systems, Mac systems. What are you going to do for all of those? And are you going to provide a different or a completely separate user experience to all of those guys?

I think that’s where enterprises need to weigh the pros and cons and really, I think everyone has erred on the side of, “Hey, I want a unified experience.” If you want that, definitely 1Kosmos is the answer, while you are able to leverage the investments that you’ve already made in Entra. So Intune, the conditional access policies, anything that you have integrated in terms of APIs. All of those things can happen, but you’re not restricted to utilizing only Microsoft authenticators.

Fair enough. Now, looking at the Microsoft environment, are users still required to start that engagement from the moment they open up their laptop at the very first point in time with a password? Is the starting spot still with Microsoft, using your password? If yes, what about resetting those passwords? Because obviously that’s going to be problematic down the road. Maybe what could something like that look like going forward, Vik?

That’s a great segue into our proofing capability. I think everyone knows it begins with the password in the Microsoft ecosystem. And even in order to set a PIN or in order to set up your Windows Hello, you are going to have to enter the password the first time around. So the password seems to be the entry point in the beginning. So what are you going to do to reset the password? What are you going to do to maintain the password? The easiest way to do it, is with the 1Kosmos app, where you don’t answer any KBAs, rather authenticate with biometrics and we can reset that.

The secondly, the big thing that has come out of course, is the Scattered Spider attacks, which I think you spoke about in the last IBA, or a couple of IBAs ago, was how do we prevent the attacks such as the ones that have been launched by Scattered Spider? So we are able to do identity proofing in a matter of 10, 15 seconds for the end user, same time that you would spend on a call, and then go ahead and provide the service desk the capability to really know who’s behind the phone call. And once that’s done, they’re able to reset the password.

And looking at the Scattered Spider, and for those of you that, or those that maybe are watching this, that have not seen those previous ones, how do you go about verifying the identity to do that? And does that add value to what Microsoft’s offering, so when you integrate us in with Microsoft? What’s the value that that could bring to a Microsoft shop, essentially?

The reason Scattered Spider has been in the news so much, is because they were able to socially engineer the service desk, and just by answering a few questions that’s available online, and then getting access to some privileged accounts. And after that, of course, they wreaked havoc. So truly what we are still answering is, from an authentication standpoint, who’s really behind the phone call? And are you who you say you are? And one of the ways that we can prove that in the physical world is, of course, taking a physical document, government-issued ID and then proving ourselves.

But it was not possible in the digital world, and now what we have enabled is through our identity proofing capabilities, we can truly provide the information to the help desk as to who’s the person who’s calling in and how have they verified themselves by, say for instance, taking their driver’s license. We scan the front, we scan the back, then we take a selfie, match the selfie against the document, match the information that’s there from the back of the document to the front of the document, and then really, we’re able to truly verify that the person is who they say they are. And if you need additional verification, we can go back to the issuing agencies and then get that information.

Wow, okay, so that’s pretty powerful and certainly an elegant way to help support the investment that organizations have already made into the Microsoft environment. Vik, last question, I know that things like remote desktops and virtual machines, and things along those lines, have always been relatively tricky to secure. Can you talk a little bit about maybe the way in which any of these changes from Microsoft may support that from a Microsoft perspective? And then maybe even talk about ways in which we could help organizations solve that as well, assuming we can?

So, these changes themselves, potentially could allow an end user to log into their workstation. However, remote desktops or anything to do with something that is not your workstation, those use cases are not going to necessarily benefit through the changes that Microsoft has made. However, 1Kosmos does have a solution for that. We offer MFA, we offer passwordless login into remote desktops, or really, if organizations want to protect holistically all of the use cases that they want to do with Microsoft, we have MFA for that. But I would say from what the changes that I have seen, are really geared towards the end user and not a power user. The end user who’s trying to log into their workstation and really get on with their day and log into machines and log into some websites and web applications, for them, these changes are really amazing.

And with integration with 1Kosmos where we are bringing in the MFA, where people could literally just log in with their face, or log in with their fingerprint, those are all things that we can definitely bring into the picture, and now offer it up to even Entra ID customers, who are pure Entra ID joined.

Oh, that’s very exciting. Listen, Vik, I appreciate you coming by today and talking about how organizations that are modernizing their IAM infrastructure with Microsoft Entra. Obviously it’s a big step forward for a lot of these organizations to help secure logins, prevent fraud. But as we know, there are gaps and areas of improvement and all those things that 1Kosmos can certainly help with. So I appreciate you taking the time today, coming in and filling us in on some of those changes and how we can help organizations going forward. Appreciate it, Vik.

Thank you for having me over, Rob.

We’ll see you again.

Thanks guys.