Public sector deployments of Microsoft Windows 10 and AD/FS can now fortify passwords with a second factor of behavioral authentication that remains invisible for users.
You probably see it everyday: the Microsoft Windows login prompt. Enter your username and password, and you unlock the keys to your machine, the network, and the kingdom. Well, simply knowing or guessing those credentials are no longer enough to give you access. Microsoft has created a special interface, called a "credential provider", that offers a standards-based interface to TickStream.KeyID. This means users will continue to enter their username and password as they have already been doing, but after Microsoft Windows confirms that set of credentials is valid, it passes the behavior (not the password) to TickStream.KeyID to ensure it is the right user who entered them. It is completely seamless, and provides the users with a comfortable, familiar interface.
TickStream.KeyID integrates with the Microsoft Windows login process through the Credential Provider API. This process is the primary mechanism for user authentication in Windows, and is the same technology used by the system to validate passwords, smartcards, etc. First, the Microsoft Windows login process validates the given username and password against Active Directory, and then second, tests the captured effort data against TickStream.KeyID. If the right combination of credentials is provided, and the TickStream.KeyID AI engine confirms the physical identity of the person, the normal Microsoft Windows login process continues.
Second factor authentication, without a second step™
Microsoft Active Directory Federated Services (AD/FS) is a standards-based service that allows the secure sharing of identity information between trusted business partners (known as a federation) across an extranet. When a user needs to access a Web application from one of its federation partners, the user's own organization is responsible for authenticating the user and providing identity information in the form of "claims" to the partner that hosts the Web application. The hosting partner uses its trust policy to map the incoming claims to claims that are understood by its Web application, which uses the claims to make authorization decisions.
AD/FS is Microsoft's implementation of the WS-Federation Passive Requestor Profile protocol (passive indicates that the client requirements are just a cookie- and JavaScript-enabled Web browser). AD/FS implements the standards based WS-Federation protocol and Security Assertion Markup Language (SAML).
TickStream.KeyID for AD/FS is a software package that allows you to provide second factor authentication for Microsoft Active Directory Federated Services deployments. The package can be installed quickly and simply on the AD/FS server and uses standard Forms Authentication to capture typing efforts.