Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Passwordless authentication is now generally available!
Published Mar 02 2021 06:00 AM 118K Views

Howdy Folks,

 

Our team has been working hard to make passwords a thing of the past. Last year was a breakthrough year, and the start of the movement to passwordless sign in. Today we’re announcing our passwordless solution is now generally available!

 

This is a major milestone in Microsoft’s strategy to encourage all our users and organizations to go passwordless! Now organizations can rollout passwordless authentication across their hybrid environments at scale. Users get a familiar, simple to use authentication experience that offers industry best security and works across an increasingly broad set of devices and services.

 

Thanks in large part to the feedback we’ve received since we launched public preview in July 2019, we added a fleet of new features to improve the management and usability of these credentials, including Authentication methods management, step-up authentication, and passwordless APIs. One of the most impactful updates is the new Temporary Access Pass, now in public preview. This time limited passcode ties the onboarding and recovery story of passwordless together for an end-to-end passwordless experience from day one.

 

 

Authentication methods management

Authentication methods policies form the foundation of our passwordless story. These policies provide IT admins with more granular control of authentication methods usage within their organizations. In this space, you’ll continue to see more credentials added to the Authentication Methods blade both in the Azure Portal and via Microsoft Graph, to access and manage authentication methods policies and user credentials for your organization. We’ve merged management of credentials in the Microsoft Authenticator app so that an admin can set one policy for both passwordless and standard push multi-factor authentication.

 

In the portal, you also can now see and delete passwordless methods on the User blade, for example revoking a FIDO2 Security Key registration if the user has lost it. Policies related to passwordless credentials are now in MSGraph V1. We’ve introduced a new scoped role specifically for authentication methods policy management, aptly named Authentication Policy Administrator, in addition to the Authentication administrator.

 

 

Picture16.png

Figure 1: Authentication methods management in Azure Portal

 

 

pic1.PNG

Figure 2: Merged Microsoft Authenticator policy management configuration

 


mb.png

Figure 3: A user’s registered credentials in Azure Portal

 

 

pic3.png

Figure 4: A user’s authentication methods as displayed in Graph Explorer

 

 

Improved user experiences

From the beginning, making the passwordless authentication flow delightful has been a top priority, which is why we’ve made numerous improvements to user consistency and flow. We promote credentials that users use frequently so they have the best user experience across devices. This credential will prompt for an authentication method, be it password or Authenticator app or FIDO key, until the user chooses “Other ways to sign-in,” to switch. People can choose when to begin using their new passwordless options and avoid having it foisted on them unexpectedly.

 

We’ve also fixed a few bugs around credentials in a guest user flow, so if someone chooses to always log in with passwordless phone sign-in at the Contoso tenant, they can start the authentication to Fabrikam using that same method.

 

Picture11.pngFigure 5: Showing how a user can change which method to use

 

To support users who have registered FIDO2 security key or enabled passwordless phone sign-in, we’ve given them the choice to use those strong authentication methods to re-verify their identity if they prefer. This is sometimes called a “step-up” authentication or second-factor flow. Coupled with a Temporary Access pass, this gives users the ability to set up and use one of these strong authentication methods, without needing another credential just for MFA.

Picture12.png

 Figure 6: Using a FIDO2 security key in a verification scenario

 

 

Improved account setup experience in Microsoft Authenticator

One major change to the passwordless phone sign-in experience is the ability to set up your account from directly within the Microsoft Authenticator app. This works best if you’ve already registered at least one multifactor authentication factor in advance or have a Temporary Access Pass.

 

Picture13.png

Figure 7: Microsoft Authenticator with new "Sign in" feature to add work or school account

 

 

Authentication methods activity

Reporting is another area where we heard your feedback loud and clear, and have made huge strides since we launched its public preview. You can now view registration and usage information for all your authentication methods in the updated Authentication methods activity blade. This report will help you track the progress of registration campaigns and the adoption of passwordless authentication methods, and dive straight into the data to get more details. Our documentation provides details on permissions and licensing requirements to access these new features.

 

 

Picture14.png

Figure 8: Authentication methods registration report

 

 

Windows Hello for Business joins the club

Our most deployed and used passwordless credential, Windows Hello for Business, is also being brought more closely into the authentication methods management, so users and admins can see their Windows Hello for Business-capable devices at the security info registration portal and the Azure Portal user blade, respectively. Windows Hello for Business registration and usage will also be captured in the new reporting. Lastly, users who want to remain entirely passwordless can use their FIDO2 security keys, in the Windows Out-Of-Box-Experience (OOBE) or via Settings, to set up their Azure Active Directory identity on a Windows device.

 

Picture15.png

Figure 9: Windows Hello for Business devices now show in a user’s list of authentication methods.

 

 

Temporary Access Pass

Of course, to have a world without passwords, we must give our customers the ability to set up all these passwordless authentication methods, and recover from lost devices, without performing the traditional password and multi-factor authentication. To that end, we’ve created and just announced the public preview of Temporary Access Pass.  This time-limited passcode allows you to set up security keys and the Microsoft Authenticator without ever needing to use, much less know, your password! We can’t wait to get your feedback on how the Temporary Access Pass helps you with your passwordless rollout.

 

As you have seen, this post contains only a high-level summary of each of the new features that are coming with general availability; for more details and supported scenarios, be sure to visit the links provided to dig deeper into each area.

 

As excited as we are for this major milestone, general availability is just that – a moment in our passwordless journey. We hope you'll also now take the next step in identifying the right user segments that can go passwordless today, and then start your organization’s own journey to Go Passwordless, whether that’s moving forward in deploying a Windows Hello for Business upgrade, or piloting a new authentication method, or testing FIDO2 security keys across your workloads. All progress is a positive advance towards improving your organization’s security, and your authentication experience.

 

As always, we welcome your comments and feedback below or on the Azure AD feedback forum.

 

 

Best regards,

 

Alex Simons (@Alex_A_Simons)

Corporate VP of Program Management

Microsoft Identity Division

 

 

 Related posts:

Learn more about Microsoft identity:

36 Comments
Copper Contributor

Hi Alex,

Great updates - two questions..

 

1) Would issuing a FIDO key and a Temporary Access Pass to someone still require them to have another second factor to configure the key? i.e. we cannot just issue FIDO keys to users at the moment that do not have a second factor - they still need a phone/otp factor to configure it.

 

2) The guest/B2B sign in via FIDO key is interesting - we have issues with MFA for B2B users - they have to register in our tenant as well as their own for MFA - is this technically a way of getting B2B users to not have to register MFA (they're a partner org, and we trust their MFA config)? Or alternatively will there be a way for us to get B2B users to use their 'home' MFA credentials in resource tenants?

Deleted
Not applicable

@Alex Simons (AZURE) 

1) Thanks, great job!

2) is it fully supported by Powershell cmdlets / AD Connect / Azure DevOps / etc? Any known unsupported scenarios?

Microsoft

Hi @apnet1205 , thanks! 

To answer your questions: 
1) Would issuing a FIDO key and a Temporary Access Pass to someone still require them to have another second factor to configure the key? 

Nope! That's the whole promise of Temporary Access Pass, is that it conveys, briefly, a strong MFA claim that allows the TAP holder to create a permanent passwordless credential, like a FIDO2 security key or Passwordless phone sign-in with Microsoft Authenticator app. 

 

2)  For B2B users, the passwordless credential can be used to start the authentication (like a password in the "home" tenant,) but if the resource ("guest") tenant has its own MFA policy, the user will still have to register and use an MFA credential in that resource tenant as well. 

@apnet1205 Hi! For your first question - With Temporary Access Pass the user is no longer required to have 2nd factor registered. They can use Temporary Access Pass to sign-in, register the FIDO2 key and from this point on - sign in with the FIDO2 key. We have additional information here: https://aka.ms/TAPPublicPreviewBlog and in our public documentation: Configure a Temporary Access Pass in Azure AD to register Passwordless authentication methods | Micr...

Copper Contributor

Thanks @Libby Brown and @Inbar Cizer Kobrinsky . Will investigate the temporary access pass solution with some FIDO keys as this could make a nice replacement for OTP tokens which are clunky..

RE: B2B MFA - is there any plans for there not be a requirement for double registration of MFA or to at least enforce MFA on any B2B authentications our users do in our 'home' tenant?

Copper Contributor

We have been trying to test passwordless for a number of weeks but I don't think the functionality is there yet.

 

All our users/devices are fully azure ad joined (no hybrid). Windows hello for business deployed. However:

1. If you "forget pin" you still need to input password to reset.

2. There are 2 ways to stop user logging into desktop with password (security policy or remove credential provider) but if you do either of these then elevating to an administrator account is not possible (due to security policy it won't accept admins password), therefore not supportable.

 

So as things stand... the functionality does not seem to be there to go passwordless. Not tk mention that as far as I can see azure ad credential provider still requires a password to exist.

Brass Contributor

Looks like there is still a hard requirement to have MFA before FIDO2 keys can be enrolled. 

Here is what we get when trying to add FIDO2 key as the only security method:

"To set up a security key, you need to sign in with two-factor authentication"

 

Brass Contributor

Sorry, I was too fast and did not read the TempAccess part and there is no way to edit comments here, so please disregard my comment above

It is possible to enroll a FIDO2 key without MFA using Temporary Access option

@Emin Huseynov - Yes, if the user have signed in to Azure AD with Temporary Access Pass, in the Security Info page they can go and register FIDO2 key. Please see more details here: Configure a Temporary Access Pass in Azure AD to register Passwordless authentication methods | Micr... 

Microsoft

Hi @Mlawton40 , 

 

You can now use FIDO keys to do PIN reset, so no passwords needed there. Being able to use a temporary access pass there is also on the roadmap. 

 

As for removing password entry from Windows, we're still a ways from making that a smooth, seamless experience, but that's why we call this a journey! First we have to provide the alternatives to passwords, next we move to take passwords out of the equation. Part of Passwordless is simply using your password less. Hopefully you will continue to explore and adopt the passwordless authentication methods. Thanks for your feedback!  

 

Deleted
Not applicable

To prove you are committed to Passwordless Auth (This is the way! :smile:), please replace the "Enter password" dialog with the "Choose a way to sig in" dialog - then legacy users can choose "Use my password".

Iron Contributor

Quick question about the new Windows Hello for Business pane. If you delete a WHfb Cred from here will it prompt the user to re-enroll into WHfB? Could this be used to change users from Cert based auth to Key based auth or visa versa just by deleting the users existing WHfB cred in the portal? Or do you still need to run certutil.exe -DeleteHelloContainer to remove the container and prompt for enrollment. 

 

Thanks in advance!

Iron Contributor

What is the solution to run a command prompt or application as another user or run as administrator when you have this configured?

 

What happens when you need to use Remote Desktop as the signed in user with passwordless credentials?

Brass Contributor

When does Passwordless access come to on-premises servers (hybrid join)?

It would be a game changer if you could secure(mfa) your RDP servers / local logon with a yubikey 

Copper Contributor

Is there any development on enforcing passwordless authentication? Is there any response to @Micki Wulffeld question about on-prem passwordless?

Iron Contributor

@Micki Wulffeld Can’t you technically already use a Yubikey for RDP MFA if you configure the Yubikey as a smart card?

Copper Contributor

Why there is no option for the Admin to register a FIDO security key for a new user instead of a Temporary Access Pass?

This feature will be a great help of use cases with frontliner users and not expert users?

 

Copper Contributor

When can we finally use phone sign-in for more than one account? I have multiple accounts (admin/service accounts across multiple tenants) I need to use and I want phone sign-in for all of them!

Brass Contributor

We are on our way to passwordless and at a customer just hit a real inconvenient bump in the road in the form of Microsoft restricting web sign in to only TAP. We are just ready to roll out web sign in as an alternative to FIDO2 since it allows for passwordless sign in using Microsoft Authenticator passwordless only to find out this feature recently got removed! What is the thinking behind this? For shared computers and 700 users using them we are now left with only one option, $40 FIDO2 keys instead of being able to offer phone sign in to Windows. this is a show stopper for us and we now have to get back to the drawing board if we cant figure out a more cost effective way to passwordless. this is NOT a step in the right direction. Why just not support both? And also we have to set up a user with a password still. the relatively easy passwords created by the Admin portal is far from as secure as TAP. Why can't we just create users with a TAP instead of a password? is this on the roadmap for business since passwords now are history for consumers? 

Microsoft

@Hasse Edqvist As indicated in our docs, web sign in is in private preview and not meant for production use. Based on our assessment , we believe it's not yet ready for regular use. So, restricting to TAP offers the optimal experience as a bootstrap mechanism to configure Windows Hello for Business. After we make it generally available with TAP, we will review making it broadly available for all credentials.  

Copper Contributor

@Hasse EdqvistDo you know the IDmelon security keys? IDmelon solutions enable users to use their smartphones as a FIDO2 USB security key on a PC. The strength of their technology is the ability to use the smartphone as a security key to log in to shared devices. Users can enjoy a seamless experience of Tap & Login.

The IDmelon's security keys are shortlisted by Microsoft as a compatible security key for Azure AD. You don't need to buy hardware security keys anymore.

 

 

Brass Contributor

@Ravennmsft Thiis is verk strange that Web sign in is in private preview since it har Been available since 2018 with the fall release. Or are you referring to a new version of web login that I’m not aware of with new functionality? In any case TAP can be used in OOBE to register a password less Auth already. So using web sign in is kind of unnessecary for most. Better yet would to include phone sign in in OOBE. Oh wait, that works too if registered already! Well then why don’t just integrate phone sign in to windows logon screen instead and skip web signin all together?

Brass Contributor

@BahramPiri Hi! No i did not hear about them. Will check it out. But that solution does require NFC readers to be purchased though i guess…

Copper Contributor

@Hasse Edqvist Yeah, you need an IDmelon Reader on share computers. It is only $19.99 and much smaller than NFC readers. for users with dedicated PC they can pair the smartphone with PC

Iron Contributor

@BahramPiri Don't you need the USB reader for every user even if they have a dedicated computer; not just shared computers?

Brass Contributor

Hi!

To recap my issue with web sign in. I had a case opened with Microsoft Intune support as well as authentication team about the error I got when trying to use Web sign in for shared computer users. All of a sudden this possibility stopped woking and @Ravennmsft wrote that this functionality is in CLOSED preview and not meant for production. even though this has been available since 2018 on Windows 10 and also has a setting in intune to enable it, NOT an OMA-URI, but an actual setting in the intune GUI, with NO preview indication attached to it. Low and behold, now its working fine again! Both with password, MFA, or passwordless.

So what happened here? Did Microsoft get alot of backlash after removing this functionality? was is an error that is now fixed? Is it out of preview? What is the current recommendation on using web sign in now? I think there are alot to clarify here. Happy that the functionality is back but with no roadmap for it how long will it work for this time? is it supported? 

Brass Contributor

@BahramPiri Hi! Checked IDMelon out, but I think its terrible unstable and not ready for production use. Also I think its strange that your readers double as keys. that is a "Hey! welcome and grab your free security key!" since the readers double as a key and has no key/id in it its just up for grabs. readers would disappear here if that got out. very strange implementation. if they´re 2 products that´s fine i guess. but still logging in with the paired key on single user computer 100% times out and give me 2 prompts. not OK. plus it doesn´t solve out problem of users not wanting to use private phones for sign in. We are not going to use this product.

Microsoft

@Hasse Edqvist we rolled it back due to some issues we've seen. We plan to enforce TAP restriction again. We are doing this due to security and reliability considerations with the web sign in feature. We will revisit enabling it for broader usage once we're able to address those concerns, but at this point, we want to enable an E2E passwordless setup experience with TAP and we would be enforcing that. Happy to discuss offline

Brass Contributor

@Ravennmsft Me too to get clarification on this. how do we do that?

Copper Contributor

@Kalimanne J In this case users can pair their smartphone with their PC and they don't need an IDmelon Reader.

Copper Contributor

@Hasse Edqvist Dear Hasse, Thank you for the time you spent to try IDmelon Products. About the 2 in 1 product you can consider this is 2 products as in they next batch of product they have different logos and cant switch. About the 2 time try on Microsoft login with pairing tools you are %100 right and this is about a short timing @Microsoft development. I am in Seattle these days and talking with Microsoft guys to address this issue as IDmelon FIDO authenticator is the only token in Market have display and this issue happen because of deploying this ability. you don't have this problem with IDmelon Reader by the way.

In your original post you talking about Microsoft Authenticator that is on the smartphone I thought you guys are ok with that.

 

Brass Contributor

Hi again @BahramPiri . we are OK with using mobile phones with MS Authenticator as an alternative for login, but now again it seems that isnt going to be an option. We have had NO issue whatsoever wit hweb sign in and would like to know what reasons Microsoft has for removing this functionality which is a great added functionality for Intune shared computers where Windows hello is disabled and not possible to use. this leaves us again with security keys as the only means to do passwordless for those users without any 3rd party products.

Brass Contributor

Hi All!

 

This Passwordless is GA isn't really true. There are scenarios that used to work but no longer work and the current situation is quite a step down from 2018...

 

1. TAP in OOBE is not an option. so how to set up a brand new PC out of the box? OOBE only offers password and FIDO2 key. WHen and how do you register your key on this computer? IF the computer is self deploying IE doesn't show any OOBE and jump traight to the login screen, provided web sign in is on you can here use a TAP to log in and then set up WHfB without a password, but this is NOT supported for dedicated Windows devices. Whats coming here to solve this?

 

2. Phone sign in in OOBE used to be a thing, but its NOT anymore. Well it is until the computer is done and show you the login screen. then you are reduced to using password, security key or web sign in which again now does NOT support phone sign in. THe flow is broken! So there is no way to use a TAP to set up phone singn in on a phone and then use passwordless to set up WHfB passwordless in OOBE on a new Windows device. 

 

3. Passwordless sign in has been reduced to WHfB or security key on Windows where we could use web sign in before with phone sign in. 

 

So what are the passwordless procedures to get through these scenarios on dedicated windows machines? The process is broken unless we can continue to use web sign in / Phone Sign in untill WHfB is set up.

Copper Contributor

Above, Libby Brown said:

"Nope! That's the whole promise of Temporary Access Pass, is that it conveys, briefly, a strong MFA claim that allows the TAP holder to create a permanent passwordless credential, like a FIDO2 security key or Passwordless phone sign-in with Microsoft Authenticator app."

 

In what scenario is this true? If I have a user in Azure AD without any authentication methods, I can create a TAP for the user, but when attempting to self-service register a FIDO2 key, the registration process still pushes the user to register either a phone number or the authenticator app. I have the FIDO2 Authentication policy enabled for the user.

Brass Contributor

@charliebeals @LibbyP  is partially correct. I put forward a couple of scenarios where this is not really true, for instance when setting up a new computer TAP cannot be used to register a security key during setup. At least not right now.

 

The reason you are getting asked for a phone number or authenticator app is because of SSPR, self service password reset where you can use sms or authenticator app to change your password. This is due to the requirement from microsoft to use the combined SSPR and MFA registration wizard. so the phone/Authenticator questions have another reason than MFA. On the other hand this practice should be abandoned since a user signing up with a TAP for passwordless authentication bu design won't ever need to change their password since they have none. 

 

Microsoft should work on this and release a NEW registration experience for passwordless that doesn't ask for redundant password reset methods.

Iron Contributor

There are still scenarios where passwordless doesn’t work for hybrid users.  They may need to authenticate on premises to something that doesn’t work with passwordless.

So, passwordless users will need to be able to use SSPR to reset their password and use it on premises for things that use protocols like LDAP authentication.  The password would also need MFA protection so this wouldn’t be able to be easily used online by an attacker if the password was breached.

Version history
Last update:
‎Mar 04 2021 08:54 AM
Updated by: