In 2013, Microsoft joined the FIDO (Fast Identity Online) Alliance with many other industry leaders, such as Google, Qualcomm, Salesforce, and more. The goal of the FIDO Alliance is to change the nature of authentication by making the process simpler, stronger, and more scalable, while reducing reliance on complex passwords. Single sign-on was the first step in realizing FIDO’s goal, but Microsoft’s introduction of passwordless sign-in is a major step towards advancing the goal.
FIDO Alliance’s goal to reduce reliance on passwords revolves around identity security. Passwords are inherently insecure because it’s too easy for them to fall into the wrong hands. Reliance on passwords allows for breaches via phishing, password replay, password spray, and even man-in-the-middle attacks. In fact, 81% of cybersecurity attacks can be traced back to lost, weak, or compromised passwords. What makes this even easier for malicious actors is that, on average, 73% of passwords online are duplicates!
While there is plenty of password strength and security guidance available, the consensus of industry experts is that authentication would be stronger and more secure if we were to do away with passwords altogether. This is why the FIDO alliance has a goal of making authentication based on biometrics, private physical keys, mobile devices, and other passwordless options.
How does it work?
Microsoft’s implementation of passwordless sign-in is not entirely new. Since 2015, users of Windows 10 have had Windows Hello, whereby users can authenticate with a face scan via IR camera, a fingerprint, or a private PIN in combination with the computer’s TPM chip. All of those methods qualify as passwordless and enable users to sign in more easily.
Microsoft recently announced support for passwordless sign-in to Microsoft 365 services, including Office 365, Dynamics 365, and any Azure AD authenticated service or application. Available in public preview today, an organization can enable passwordless sign-in to these services using the Microsoft Authenticator app on mobile devices.
When a user goes to sign in to an Azure AD authenticated application, after entering their username, Microsoft will send a push notification to the user’s mobile device. This push notification will have 3 two-digit numbers displayed. The user simply selects the number that matches what is shown on the login screen, and they are signed in. The mobile device is registered to the organization (through the Microsoft Authenticator app, not necessarily full MDM), and it is secured with a PIN or biometrics to unlock. For now, Microsoft is calling this process “Sign in with your phone, not your password” to simplify the concept for everyday users.
Additionally, Microsoft has introduced support (in private preview) for sign-in using FIDO2 physical keys, which look very much like flash drives. NFC smartcards will be coming soon. Keys like this are meant to replace the physical RSA keys many organizations have used for years.
How realistic is this?
Microsoft’s clear mission here is to eliminate passwords altogether from an IT environment, going so far as to declare “an end to the era of passwords.” However, most IT admins question the feasibility of removing passwords from their environment, and with good reason.
For an organization to take full advantage of the advancements made by Microsoft, they need to fully adopt the Microsoft 365 platform, specifically Windows 10 for devices and Azure AD for authentication.
To support the full capability of Windows Hello on Windows machines, and remove the password-based sign-in experience, Windows 10 devices must be joined to and authenticate with Azure AD, as opposed to a local domain controller. There are also some security concerns around the requirement of a PIN as a backup method to Windows Hello biometrics. While Microsoft maintains that a PIN is more secure than a password due to TPM backing and it being tied to the device (and we agree), this could give organizations pause.
To take advantage of passwordless sign-in using a web browser, your users must be using the Microsoft Authenticator app. Additionally, the tenant must be configured for modern authentication (a good security practice anyways), and authentication must be handled by Azure AD, meaning no ADFS support.
Lastly, while Microsoft’s intention of eliminating passwords from the environment is noble, even they admit that eliminating passwords from the identity directory today is not possible. Both local Active Directory and Azure Active Directory require passwords to exist today, although the possibility of eliminating passwords from Azure AD is on the roadmap. Microsoft’s vision first is to simulate a passwordless experience for end users, and once complete, delete passwords from the directory altogether.
What can you do to move forward?
The best thing you can do as an IT admin moving forward is to prepare your environment. Even if you don’t think passwordless sign-in is in your future, you can still take advantage of the security enhancements by using Multifactor Authentication (MFA). In reality, passwordless sign-in is just MFA without the password as a first step. Organizations that adopt MFA are far less susceptible to credential-based attacks. You can even minimize the impact of MFA by adopting Conditional Access in Azure AD to avoid over-prompting end users.
It’s also important to work on your Modern Desktop strategy. If your Windows devices are still only joined to a local AD and managed by a local service, look at hybrid domain join with Azure AD and co-management with Microsoft Intune. Introducing both of those can be a low-impact step towards modernization, easier management, and better security.
Lastly, take a look at your authentication method with Azure AD. If you are still utilizing ADFS today, look into recent features such as Pass-Through Authentication and Seamless Single Sign-on, which can give you the functionality and security you need without the extra and legacy infrastructure.