Hey there folks! It’s been a great (and busy) few months since the last update. For this third recap, we’re going to focus on something really critical to our long term security strategy. Every day, the Identity Security and Protection (for which I serve as Group Program Manager) intercepts around 400M criminal login attempts. Do the math, and we’re talking something like 12 billion fraudulent requests a month! Virtually all of these are opportunistic attacks which rely on password re-use, guessable passwords, and password phishing. What’s the common denominator?
There are plenty of things we can do now to harden systems (like using MFA!), but ultimately great usable security will take us away from the password. For most Microsoft employees, the password has no part in our day-to-day. That’s because Windows Hello gives us login based on a known device as the first factor, and we can use a pin, fingerprint, or our smiling faces for the second. This is strong, effortless authentication, and it’s awesome. We have been working hard to get to the world without passwords.
I use multi-factor authentication in each of the many work and personal systems where I have an account. Typically this means entering a password in conjunction with a code generated by my Microsoft Authenticator App, but for my Microsoft account and Azure AD accounts, I can sign in with the app directly. This is both much easier and more fun and more secure than old-style multi-factor authentication. Lately I have been having a blast showing off FIDO2 logins to my Microsoft accounts (you can learn a ton about the protocols in this blog post from Pam Dingle (@pamelarosiedee).
Of course, to some extent I know I am preaching to the converted here – while we had a great time showing you password-less options at Ignite 2018, but even more amazing to see your enthusiasm, with tremendous turnout for the talks (if you didn’t get a chance to see it, or want to see it again, it’s right here!).
Ok, enough from me – with no further ado, here’s the latest on passwordless from Manini (@manini_roy) and Libby (@TruBluDevil), who champion our FIDO and phone app efforts, respectively.
--- It’s been a few months since Ignite so we want to provide an update of all the progress and let you know how you can get started on your password-less journey.
It’s always hard to take the first step on a new journey. With our password-less technologies you can choose where to start with options including Windows Hello, Microsoft Authenticator, and FIDO keys.
Moving to a password-less environment requires technologies that can support it—and time for your organization and users to adopt them. Based on customer interactions, we have a new whitepaper that learn more about why you should reduce reliance on passwords, introduce new password replacement technologies in your organization, and help make a sea change in both security and productivity.
Since our announcements at Ignite, we want to share some key updates around our password-less solutions:
We’ve seen great interest in the public preview of signing in password-lessly with Microsoft Authenticator! Since Ignite, over 1,200 tenants have acted to enable the policy and begin using it, and our weekly active usage has more than tripled. If you are interested in trying it out for your tenant, please be sure to read Password-less phone sign-in with the Microsoft Authenticator app for instructions and known issues.
We also heard your requests to have a more granular level of control for the use of this credential. In the first half of 2019, we will be adding a powerful tool-the ability to assign use of this credential, and others, to users and groups-to help you with your pilot and rollout projects.
Fast Identity Online (FIDO) Alliance
On November 20, 2018, we started rolling out the ability for our Microsoft account users to sign in to Microsoft Edge using a FIDO2 device or Windows Hello. This will allow about 800 million users to access their Microsoft services on the web without a password (or even a username). Under the covers, we’ve implemented the WebAuthn and CTAP2 specifications from the FIDO2 standard into our services to make this a reality. As a member of the FIDO Alliance, we have been working with other alliance members to develop open standards for the next generation of authentication. We are happy that Microsoft is the first company to support password-less authentication with FIDO2.
We have tons of great things coming out as part of our efforts to reduce and even eliminate the use of passwords through FIDO2. This summer, enterprise customers will be able to preview the ability to sign in to Windows and the web using their FIDO2 security key. Admins will have the ability to turn on and configure FIDO2 for their tenant and allow their employees to set up their own security keys for their account.
Overall, we are making great progress and you can start your password-less journey today. We have enabled our password-less solutions to work in cloud scenarios, so as you are making your move to Azure Active Directory (Azure AD), it’s a great opportunity to envision what the future of authentication will look like without breaking any of your existing scenarios. It’s also important to pilot and deploy the solutions that are available in order to get your employees to stop relying on passwords for their everyday authentication. It’ll make their lives easier day-to-day and they’ll be more suspicious when asked for their username and password by phishing scams and malware. In the meantime, as you are piloting these solutions, you can tell us what you think so your feedback can feed into the product design cycle. It’s a win-win for all of us!