Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
10 Reasons to love Passwordless #1: FIDO Rocks
Published Feb 24 2021 10:49 AM 32.6K Views
Microsoft
Over the next few weeks, the Microsoft Identity team will share 10 reasons to love passwordless and why you should consider changing how you (and your users) login every day. Kicking off the series is Pamela Dingle.

 

I love passwordless authentication because of the amazing flexibility and choice that come with strong authentication standards like Fast IDentity Online – also known as FIDO. Before sharing how FIDO has helped make my life easier, let’s talk a little about passwordless.

 

Passwordless authentication means living a daily digital life where you never type a password. Instead, you use more secure ways to authenticate such as a fingerprint reader built into your Windows laptop, face unlock on your Android device, or a push notification you respond to on your iPhone.  The best part is you can set up just one or all of these passwordless identity mechanisms. That means there is a passwordless option no matter where you are or what you are doing. For me, this has huge benefits: 1) Less typing, 2) Less remembering of stupid passwords that make me angry, 3) Less retyping of the passwords because I got them wrong the first time, and 4) Wow is it more secure.  

 

Back to my favorite part about passwordless authentication at Microsoft – the fact that we offer open standards-based options via the FIDO family of protocols. FIDO lets a website request a secure credential in a vendor-agnostic way. This means no lock-in! In the past, in order for a website to support secure login mechanisms like fingerprint or facial recognition, the website developer would need to write proprietary code, possibly for many types of computer hardware,operating systems, or smartphone implementations – it was just a mess. If you used a product that wasn’t on the supported list, you were out of luck. Now, the website can just use a protocol called W3C Web Authentication to ask for a FIDO credential. This eliminates a ton of proprietary code, so it is less expensive to maintain for the website, and it is more likely to work in the real world. When you couple the breadth of FIDO-compliant solutions in the ecosystem with our other passwordless options, like our authenticator app, there are a lot of flexible options.

 

FIDO support for passwordless authentication has made my life easier by reducing vendor lock-in. When working on my Lenovo laptop, I use the built-in fingerprint reader to login without typing. Since I’m now home all the time, I prefer to use my Apple Mac mini for work. Normally, switching to a different hardware manufacturer would be a big barrier, plus the Mac mini does not have a fingerprint reader! Luckily, I have a roaming authenticator (called a security key) registered with Azure Active Directory (along with my laptop fingerprint). With that security key plugged into my USB port, I can login passwordlessly on ANY computer that I want. I can move my security key from my Mac mini to a laptop and never type anything. 

 

When I travel, my laptop’s built-in authenticator is the most convenient authentication option.. At home, I prefer the plugged-in security key.  A bunch of awesome FIDO2 vendors offer different form factors. I can pick the vendor and form factor that works best for me. FIDO2 earrings, anyone? This set of authenticators works really well for me but what is best for you and each of your users could be different! Really, that is the crux of why we enable so many options with FIDO2, Windows Hello, and the Authenticator - we want you to go passwordless your way.

 

Upcoming passwordless posts

There is so much more to learn about why passwordless authentication is the future, and about how you can find a passwordless factor (or two) to make your world better. My Microsoft identity colleagues are all going to try to outdo this reason with their own takes on why passwordless is so awesome – stay tuned for the next two segments in this series:

 

  • Alex Weinert on why biometrics and passwordless are a dream combination
  • Sue Bohn on how passwordless makes your logins 3x faster

 

MicrosoftTeams-image.png

 

Learn more about Microsoft identity:

 

Check out the other posts in this series: 

16 Comments
Copper Contributor

We are currently trying to allow out Azure AD guest users to use a FIDO2 security key as an MFA device as they cannot use their phone/tablet at all locations. Unfortunately we are told by the Microsoft support team that this is not possible and also not on the road map. What should we then do to ensure our guest users can use MFA when phone/tablet is not an option?

Copper Contributor

And then you restrict the Titan YT1 Security Keys to be used with Windows Hello and Microsoft Services, even though they are perfectly safe and exactly like their YubiKey counterpart. You can't just add hurdles to our security because we're using the product of competing companies.

Copper Contributor

Interesting read. Thank you @Pamela Dingle.  What I believe is the way entire Windows ecosystem works, it is heavily dependent on Passwords which Microsoft cannot eliminate. Hello and other authentication mechanisms are alternative ways to access the cached Password on the Windows machine, which is then used to connect with other entities in the ecosystem (via AD/Kerb). 

 

Please let me know if my understanding is wrong.

Microsoft

@varungupta3009 What do you mean by restrict the Titan key to WH and Microsoft? Can you please clarify what you mean?

Microsoft

@AjitHatti there are very few services that are 100% reliant on passwords at this point. Using Windows Hello as a FIDO2 authenticator does not use passwords at all and is based on public key cryptography. Is there a particular service you have in mind?

Copper Contributor

Hey @timcappalli, the new Titan Security Key (YT1) isn't supported by any Microsoft services, including Windows Hello. The YT1 is a Type-C key based on the YubiKey 5C and manufactured by YubiKey, but for some reason, you support the 5C and not the YT1. I contacted MS about this issue but received no resolution.

Copper Contributor

Passwordless solutions might be convenient in many situations but they aren't a panacea. They are not always more secure than passwords and create issues on their own. Typical examples:

  • Your fingertip can be easily pressed against the reader by force, against your will. You can even be unconscious at that time. Bandits or security services in some countries, doesn't matter.
  • SMS messages as a the second factor can be easily intercepted on the phone service provider level (again, by state security services or by corrupted provider employees). Also there are plenty of trojans for smartphones covertly intercepting SMSes from popular banking services.
  • Push notifications in authenticator apps depend on phone Internet connectivity that is not always available. A typical example: a technical fault at the phone provider side, travelling abroad where roaming tariffs are too high or another compatibility/connectivity issues are present. In addition, the phone can be physically damaged, lost or stolen, which would create a major problem for at least days.

All in all, passwords have their drawbacks but it's the secure enough and always working mechanism under condition you use them in a right way. Regarding passwordless solutions, there is also a rule that never should be ignored: they should be two-factor, and the second factor device must be physically different from the device where you're trying to log in. Of course, it's always good to implement the second factor for passwords as well.

Microsoft

@varungupta3009 thanks, I understand your question now. Google Titan security keys only support U2F (aka second factor). Microsoft services use FIDO2 with discoverable credentials for a passwordless experience.

Copper Contributor

@timcappalli Thank you for the reply. Once I authenticate to my Windows laptop (just an example, else strictly a Linux user) using Hello, how am I authenticated to AD? does or not my laptop uses the password previously set and stored while configuring Hello?

 

Also can you please explain me what is the meaning of "Discoverable Credentials"? Any reference where I can learn more about them?

 

Copper Contributor

@elotosh You are right, but  not all passwordless solutions are alike.

FIDO and Biometric based solutions dont give of you both -

1. Proof-of-Presence (a user can share his credentials with some other remote person to access a system behalf of him )

2. Proof-of-Interaction (User is consciously choosing to authenticate and is not tricked, forced or accidentally authenticates)

 

Neither do they provide foolproof phishing protection except for the hardware key based authenticators. 

 

We had considered all these points including lost/stolen device, offline authentication while designing our passwordless solution and the major focus was to remove the passwords from the server and not just from the client side.

 

 

I agree Passwordless is not a Panacea (yet), but Paswordless is better &  secure in each and every way than passwords.

All the players like Microsoft, FIDO alliance and independent players like us (PureID) are working and committed to make it better. 

Microsoft

@AjitHatti please take a look at this: Hybrid Key Trust Deployment (Windows Hello for Business) - Microsoft 365 Security | Microsoft Docs

 

Discoverable Credentials is just a new name for Resident Credentials / Resident Keys.

Copper Contributor

Any plans to add support for passwordless authentication in PowerShell admin cmdlets that connects to M365 services like Connect-MsolService, Connect-ExchangeOnline etc? Seems that it is not yet available and I couldn't find any official info whether it will ever be possible. If not, maybe security key as 2nd factor? This is also not possible in PowerShell.

Microsoft

@jankow_ski , this is dependent on the rollout of WebView2 in Windows 10. More details: Webview2 - Microsoft Edge Developer

Copper Contributor

@timcappalliWow, that was a rapid repsonse, thanks! I dug into that a bit and is there anything I can do now beside installing the WebView2 runtime (it's not working yet)? Or do I need to wait for the implementation from Microsoft's side?

Microsoft

@jankow_ski I believe it would require an update to Powershell, but let me try to get you a better answer from that product team.

Copper Contributor

@timcappalliAfter installing the latest stable version of Powershell which is 7.1.3, I noticed that some cmdlets are working by opening a new tab in the default browser and after completing the authentication (in the browser way so it supports each method that the default browser support which basically is.. all of them) it comes back to the PowerShell window with logged in session. It is quite a smooth user experience which is exactly what I wanted.

However, not all of the cmdlets work like that. Some of them, e.g. Connect-MsolService/Connect-AzureAD, work only in compatibility mode (-UseWindowsPowershell as an argument) that uses the "legacy" method in which the authentication window pops up. If I try to run them outside of compatibility mode, I get an error message:

"Connect-MsolService: Could not load type 'System.Security.Cryptography.SHA256Cng' from assembly 'System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'."

Maybe I've not done something important or it's not finished yet or it's due to some compatibility issues underneath.

Nonetheless, that is already a bit better, so I'm looking forward to hearing some good news from you, thanks again!

Version history
Last update:
‎Aug 19 2021 04:22 PM
Updated by: