May 5, 2022, is World Password Day, a day we all use to create awareness around password security. At Microsoft, we choose to celebrate replacing passwords with better and more secure ways to sign in. I can’t think of a better person at Microsoft to represent this journey than Libby Brown, a senior product manager leading our efforts to keep Microsoft Azure Active Directory (Azure AD) customers more secure with passwordless solutions.
Here’s what I love about Libby’s story: her career has followed a winding path that ended up being the best possible path to the role she has today. Early on, she switched from engineering to public policy and then worked in publishing, product marketing, training, release management, and now product management. She’s spent time at a small publishing firm, at a startup, and at Microsoft. She pushed her way past every career hiccup, and as she moved forward, she gained experience that would later be relevant to her work in ways she had never anticipated.
Today, Libby is in a technical role, calling on everything she’s learned throughout her education and career to build usable experiences that make technology easier for businesses of all sizes. Her focus on usability is crucial; we’ve learned the hard way that unless security experiences are easy for IT administrators to deploy and manage, and easy for users to adopt, people will be reluctant to use them. Our goal is to make passwordless authentication even easier to use than passwords, which are hard to remember and far less secure. With her varied background working on an array of products for an array of different audiences, Libby is the perfect person to lead this charge.
Libby’s interview with Eric Sachs has been edited for clarity and length. We’ve included two video snippets of the interview recording so you can learn more about her unique career journey and perspectives.
Eric: I have three young daughters myself, and none of them has gotten interested in computers yet. How did you first get interested in them growing up?
Libby: I was pretty lucky. My older brother was interested in computers, so from the very earliest days, we had a Timex Sinclair computer—with a little chiclet keyboard and programs that saved to a cassette tape—and also an early Apple. I had the opportunity to attend Thomas Jefferson High School for Science and Technology in Northern Virginia which had just graduated its first class. Computers were just something in the background, from an early age, that I used. I recognize now, though, that I was pretty lucky to have that.
Eric: What did you decide to study in college after you had that opportunity in high school?
Libby: In high school, you take those career “What do you want to do?” questionnaires. My answers always led to engineering, so I attended Duke University to study mechanical engineering. It was an interesting time, but I realized I just did not care if you took a piece of metal and bent it where it would break. It wasn’t the kind of problem-solving that I liked. So, I looked around, took a couple of public policy courses—which turned out to be a different type of systemic problem solving—and ended up majoring in that.
Eric: You eventually got back to computers, so what was the next time you encountered technology?
Libby: After Duke, I returned to Washington, D.C., to get involved in public policy. My first job was for a small publishing company called Congressional Quarterly. They produced daily, weekly, monthly, and annual publications on what Congress was doing. My first job involved researching legislation and entering it into a database. With the year 2000, we needed to upgrade those databases, including how researchers entered the data and how customers pulled the data and were presented with it. I started doing things like designing what that screen would look like, what the website would look like, and designing the queries to pull the data for legislative reports. Little did I know at the time, that’s what I would be doing 20 some years later, just with different challenges, but still focusing on that foundational user experience, running those systems, and designing great opportunities and spaces for users.
Once we made it past the year 2000, we launched the Congressional Quarterly Website. It won a bunch of awards that year for being one of the newest, best magazine tools online. But also keep in mind, this was in the heyday of Web 2.0. Red Herring magazine was 300 pages thick, with information on all these great Web 2.0 companies and the future of e-commerce. Congressional Quarterly was a pretty small business. I realized I needed more scope and scale to succeed in this new world, so I decided to get my MBA.
I chose Vanderbilt University because they had leading researchers in Web 2.0 e-commerce. I studied both information technology and strategy. This led me to think about how businesses take advantage of technology and use it to gain competitive advantage, which became the underlying thread to the rest of my tech career.
Video description: Libby describes her first role at Microsoft.
Eric: So, after business school, you came into Microsoft initially as a Product Manager for one of the company’s publishing arms, left for a startup, and then returned. What was different, and what worked well for you, when you came back?
Libby: I came back for a fun startup-like team within Microsoft called Office Live Small Business. We were working to give small businesses a free custom domain name with Hotmail mailboxes on the backend and a Microsoft SharePoint site they could easily customize to market to their customers. While our product was successful, other technologies were coming online, including Microsoft Exchange and SharePoint moving to the cloud, so we needed to reconcile that. Since we had experience with small businesses and users, our team pivoted to building the user and admin portals for what became Microsoft Office 365. Being part of that transition was a fun time.
Eric: Well, you had quite a journey to get there, but now you’ve been a product manager for a while at Microsoft. How did you end up in the identity team then, dealing with passwords?
Libby: Sometimes I’m not quite sure how I got here myself, but through a series of reorganizations, I found myself doing a weird set of roles around financial compliance for our commerce platform. I learned all about Sarbanes-Oxley compliance, payment card industry (PCI), and other interesting spaces, but it was not an area that I enjoyed. So, I reached out to my wide corporate network. As a product manager at Microsoft, you want to keep those connections active, and I was doing my, “Hey, what’s happening in your space of the company?” interviews with a bunch of friends and former coworkers. One of them happened to work in identity as the program manager lead for the Microsoft Authenticator app, and we realized that I had a lot of applicable skills. I joined that team in 2016.
Eric: I have to admit, I’m a little jealous because your current project’s very focused on passwordless authentication. What about your unique background do you think helps you with this particular challenge?
Libby: We wanted to make the experience of two-step verification easier for Microsoft consumers. As you know, not many people were comfortable with two-step verification, especially in 2016. They didn’t quite understand a password plus something else, whether that something else was an SMS code or a push notification to your phone. Then we said, well, if we can do password plus “push,” why can’t we just do the push and tie it to the device? We’d create a super easy experience of entering your username and responding to a notification on your phone. That got a lot of attention and traction.
And we were also working to build the same type of experience for work and school accounts in Azure AD. Given my background, I asked questions from an organizational standpoint about keeping our customers more secure. How can they make sure that their business is doing what it needs to do—without having to worry about those attacks? Creating a great user experience so employees can easily make that strong authentication gesture to be safe really helps the overall security posture of the company itself.
Video description: Libby explains how usability enhances security.
Eric: It’s pretty exciting. In the passwordless area, the FIDO Alliance recently published a white paper about passkeys. Part of it is about using a mobile phone to help sign in to other devices like a Microsoft Windows desktop. Can you explain a bit more about why that is so important? Windows devices and mobile phones have built-in biometrics—why can’t that just solve all problems and make all passwords go away?
Libby: Passwords have been in our systems now since the 1960s. It’s going to take us a little while to kill them off. But multidevice credentials, which some refer to as passkeys, really are that next thing that will enable us to do that. Most of us have a mobile device in our hands for the better part of the day, and we’re working to take advantage of the native biometrics on that device, whether it’s touch ID or face ID, or the Windows Hello gesture that you might use on your PC. We’re trying to use the native gesture on that device that everyone is familiar with, backed by this modern use of public-key cryptography to keep you secure.
Then I can use my phone as a passkey to sign in on my phone or to another device such as my Windows PC, or the Mac at my mom’s house, and it’s just seamless and ubiquitous. And when you think about the companies that have been involved—whether that’s Microsoft, Apple, Google—we’ve been in this from the very beginning and now we’re looking at more than six billion devices being able to use these standards-based multidevice credentials. When you look at those numbers and that scope and scale, it’s just pretty mind-boggling how we can transform in the next few years.
Eric: Cool! All of us who use passwords, which is just about everybody, want to thank you for taking on the password challenge and it certainly seems like your very unique career path makes you uniquely qualified for this challenge. I can’t wait to see where you lead us next on the passwordless journey.
Libby: Thanks, Eric.
Help protect your organization with Microsoft’s complete identity and access management solution.
Learn more about Azure AD.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.
READ MORE HERE