Blog Post

Microsoft Entra Blog
4 MIN READ

Azure AD Ignite Recap 3: start your journey to password-less!

Alex Weinert's avatar
Alex Weinert
Icon for Microsoft rankMicrosoft
Feb 06, 2019

Hey there folks! It’s been a great (and busy) few months since the last update. For this third recap, we’re going to focus on something really critical to our long term security strategy. Every day, the Identity Security and Protection (for which I serve as Group Program Manager) intercepts around 400M criminal login attempts. Do the math, and we’re talking something like 12 billion fraudulent requests a month! Virtually all of these are opportunistic attacks which rely on password re-use, guessable passwords, and password phishing. What’s the common denominator?


There are plenty of things we can do now to harden systems (like using MFA!), but ultimately great usable security will take us away from the password. For most Microsoft employees, the password has no part in our day-to-day. That’s because Windows Hello gives us login based on a known device as the first factor, and we can use a pin, fingerprint, or our smiling faces for the second. This is strong, effortless authentication, and it’s awesome. We have been working hard to get to the world without passwords.

 

I use multi-factor authentication in each of the many work and personal systems where I have an account. Typically this means entering a password in conjunction with a code generated by my Microsoft Authenticator App, but for my Microsoft account and Azure AD accounts, I can sign in with the app directly. This is both much easier and more fun and more secure than old-style multi-factor authentication. Lately I have been having a blast showing off FIDO2 logins to my Microsoft accounts (you can learn a ton about the protocols in this blog post from Pam Dingle (@pamelarosiedee).


Of course, to some extent I know I am preaching to the converted here – while we had a great time showing you password-less options at Ignite 2018, but even more amazing to see your enthusiasm, with tremendous turnout for the talks (if you didn’t get a chance to see it, or want to see it again, it’s right here!).

 

Alex and Manini presenting password-less!


Ok, enough from me – with no further ado, here’s the latest on passwordless from Manini (@manini_roy) and Libby (@TruBluDevil), who champion our FIDO and phone app efforts, respectively.

 

Stay safe! 

-Alex (@alex_t_weinert)

---
It’s been a few months since Ignite so we want to provide an update of all the progress and let you know how you can get started on your password-less journey.


It’s always hard to take the first step on a new journey. With our password-less technologies you can choose where to start with options including Windows Hello, Microsoft Authenticator, and FIDO keys.

 


Moving to a password-less environment requires technologies that can support it—and time for your organization and users to adopt them. Based on customer interactions, we have a new whitepaper that learn more about why you should reduce reliance on passwords, introduce new password replacement technologies in your organization, and help make a sea change in both security and productivity.

 

Download the whitepaper now: Microsoft Password-less Protection

 

Since our announcements at Ignite, we want to share some key updates around our password-less solutions:

 

Authenticator app

 

We’ve seen great interest in the public preview of signing in password-lessly with Microsoft Authenticator! Since Ignite, over 1,200 tenants have acted to enable the policy and begin using it, and our weekly active usage has more than tripled. If you are interested in trying it out for your tenant, please be sure to read Password-less phone sign-in with the Microsoft Authenticator app for instructions and known issues.

 

We also heard your requests to have a more granular level of control for the use of this credential. In the first half of 2019, we will be adding a powerful tool-the ability to assign use of this credential, and others, to users and groups-to help you with your pilot and rollout projects.

 

Fast Identity Online (FIDO) Alliance

 

On November 20, 2018, we started rolling out the ability for our Microsoft account users to sign in to Microsoft Edge using a FIDO2 device or Windows Hello. This will allow about 800 million users to access their Microsoft services on the web without a password (or even a username). Under the covers, we’ve implemented the WebAuthn and CTAP2 specifications from the FIDO2 standard into our services to make this a reality. As a member of the FIDO Alliance, we have been working with other alliance members to develop open standards for the next generation of authentication. We are happy that Microsoft is the first company to support password-less authentication with FIDO2.

 

For more information and to try it out, read this blog post.


We have tons of great things coming out as part of our efforts to reduce and even eliminate the use of passwords through FIDO2. This summer, enterprise customers will be able to preview the ability to sign in to Windows and the web using their FIDO2 security key. Admins will have the ability to turn on and configure FIDO2 for their tenant and allow their employees to set up their own security keys for their account.

 

Overall, we are making great progress and you can start your password-less journey today. We have enabled our password-less solutions to work in cloud scenarios, so as you are making your move to Azure Active Directory (Azure AD), it’s a great opportunity to envision what the future of authentication will look like without breaking any of your existing scenarios. It’s also important to pilot and deploy the solutions that are available in order to get your employees to stop relying on passwords for their everyday authentication. It’ll make their lives easier day-to-day and they’ll be more suspicious when asked for their username and password by phishing scams and malware. In the meantime, as you are piloting these solutions, you can tell us what you think so your feedback can feed into the product design cycle. It’s a win-win for all of us!

 

Get started on your password-less journey

 

Excited? Start by reading the Microsoft Password-less protection document and then start piloting one of the Microsoft password-less solutions.

 


Stay tuned for more awesomeness!

Updated Jul 24, 2020
Version 15.0
  • Sol Birnbaum's avatar
    Sol Birnbaum
    Copper Contributor

    TakuyaHirose

    "This summer, enterprise customers will be able to preview the ability to sign in to Windows and the web using their FIDO2 security key."
  • TakuyaHirose's avatar
    TakuyaHirose
    Brass Contributor

    When the function of password-less sign-in with FIDO device deploy to School & Work Account holders?

     

  • frankbrandt's avatar
    frankbrandt
    Copper Contributor
    Hi, can i use the Windows Hello for Business token and WebAuthN from my Azure AD joined computers to archive the same that Kerberos and Windows Integrated Authentication offers for AD joined computers now? - So i can use web applications or 3rd party identity providers without any form-based login screen on all major browsers? Which version of Windows 10 do I need to archive this and do I need the preview version of Azure AD mentioned above?