Authentication can be performed against the user’s Active Directory (AD) credentials or by using dedicated Skype for Business (Lync) credentials that the user creates on the access portal (different from their AD credentials). The dedicated Skype for Business login option offers a high level of security as AD credentials are not stored on the mobile device. This approach is also useful for organizations that use smart cards for network access.
Many organizations are concerned about the possibility that employees’ smartphones will end up in the wrong hands due to loss or theft and, therefore, require that employees avoid using and storing Active Directory credentials. While these devices are used in a non-managed environment connecting through public Internet Wi-Fi networks, the risk that AD credentials will be hacked is a serious threat. Users who install applications or connect their device to different networks unintentionally expose the company’s IP.
With SkypeShield, users can safely connect from external networks without compromising the organization’s network. This is done by creating a dedicated user name and password that can be used only for Skype for Business. If the credentials are stolen, further damage is prevented. Moreover, a hacker who tries to use the TFA mechanism of SkypeShield will be blocked.
Creating dedicated Skype for Business credentials
To create dedicated Skype for Business credentials, users have to log into the self-service access portal. Moreover, the self-service portal also supports smart card log-in policy, just as it is done from a network desktop computer.
Once users log in, they have to create specific Skype for Business credentials, different from their regular Active Directory credentials. Users can connect their devices within a limited time (default of 15 minutes) to add the Two-Factor Authentication by registering the device with the user.
Users have to enter the Skype for Business credentials on the device and will not be required to provide their Active Directory credentials again. This approach resembles the ADFS approach, but is simpler, with fewer prerequisites.