Windows Hello FIDO2 certification gets you closer to passwordless
Published May 06 2019 09:00 AM 67.6K Views
Microsoft

With the FIDO2 certification of Windows Hello, Microsoft is putting the 800 million people who use Windows 10 one step closer to a world without passwords.

No one likes passwords (except hackers). People don’t like passwords because we have to remember them. As a result, we often create passwords that are easy to guess—which makes them the first target for hackers trying to access your computer or network at work.

Since 2015, Microsoft has been building a path to a secure and passwordless world with Windows Hello, enabling Windows 10 users everywhere to sign in to their devices using biometrics or a PIN and leave the world of passwords behind. Continuing this momentum, Microsoft announced in November of 2018 the ability to use Windows Hello or a FIDO2 security key to securely sign in to your Microsoft account on the web, without a password!

Today, the FIDO Alliance announced that, with the upcoming release of Windows 10, version 1903, Windows Hello is a FIDO2 Certified authenticator. FIDO2 enables developers to leverage standards-based protocols and devices to provide users easy authentication to online services—in both mobile and desktop environments. Microsoft is a leading member of the FIDO Alliance and is working closely with alliance members to enable passwordless login for websites supporting FIDO2 authentication. Collectively, these standards enable users to more easily and securely login to online services with FIDO2-compliant security keys and Windows Hello.

Every month, more than 800 million people use a Microsoft account to access email, play a game, or access files in the cloud. That’s why, in addition to FIDO2 certification, Windows 10, version 1903 will enable users of the latest version of Mozilla Firefox to log in to their Microsoft account or other FIDO-supporting websites. Chromium-based browsers, including Microsoft Edge on Chromium, will support the same capability soon.

We encourage companies and software developers to adopt a strategy for achieving a passwordless future and start today by supporting password alternatives—such as Windows Hello—for their users. For more details on deploying Windows Hello, see www.aka.ms/whfb.

To support secure authentication on shared Windows 10 PCs, such as those used by Firstline Workers, FIDO2 compliant Microsoft-compatible security keys offer a portable solution that enables users to log in to Windows 10 without a password. Learn more about this scenario by reading Windows Hello and FIDO2 Security Keys enable secure and easy authentication for shared devices.

Finally, Microsoft Authenticator can enable users to authenticate their Microsoft accounts using their mobile phones. Built on secure technology similar to Windows Hello, Microsoft Authenticator packages authentication into a simple app on your mobile device.

Windows Hello, FIDO2 security keys, and the mobile Microsoft Authenticator app are great alternatives to passwords. To truly create a world without passwords; however, we need interoperable solutions that work across all industry platforms and browsers. We will continue to invest in this space and look forward to sharing future updates. In the meantime, if you’re a developer, you can help by supporting FIDO2 authentication in your web services and applications today.

 

 

15 Comments
Brass Contributor

When are you going to allow migration of Microsoft Authenticator codes?  For instance, moving codes from Windows Phone to a Droid (or Droid to new Droid?).  It takes one mishap for all codes stored on the device to hose your 2FA.

 

It's good to hear about the improvements regarding passwords, but 2FA is in the field now and your current design puts users at risk, or at the minimum, extreme inconvenience to copy codes over one by one (each with their own process).

Copper Contributor

Sounds like the ushering in of a dystopian future. What company will be warehousing the biometric data? Will users in the future be allowed to use the OS without biometrics? Does Microsoft support respecting user privacy over convenience disguised as security? Is this a grab for biometric data at its core?

Copper Contributor

This is great news.  When will Windows 10 support the Passwordless function in the Auth App for windows Login tied to my corporate azure ad account?  I realize that WHB can use Pin and Biometrics data but we are looking for a seperate device MFA function.  To work similar to Azure AD account passwordless access.

I could procure a token solution but I am already utilizing the Auth App and conditional access controls for Application security.

 

 

Steel Contributor

@Yogesh Mehta Great news! Does this means that I now can enable login with for example Yubcio hardware tokens on an Azure AD Joined Windows 10 1903?

Iron Contributor

For those who are asking about AzureAD - Fido2 support for AzureAD is starting in private preview (June 2019).

 

Regarding your older hardware keys - if they are FIDO2  then sure, but likely you have something older than Fido2. In which case your options haven't changed. 

 

I just got a Fido2 USB+Fingerprint key that I'm hoping to test with soon..

 

 

 

 

Steel Contributor

I’ve heard public preview is coming at least during 2019 - I hope so too.

 

@Neil Goldstein Out of interest, which key do you have which also has fingerprint?

Copper Contributor

@Mike-E Migrating Authenticator codes eg. shared secrets is a bit irrelevant, because they are not different than passwords and something you know and not something you have like a hardware security key.

 

And so anyone can at least take screenshots of the QR Codes containing the shared secrets and save them in case the device where they was added gets lost or blows up (already happened to me with a Samsung S7). It's also easily possible to get the whole databases out of mobiles btw. And how easy it is to 'steal' varies from brand to brand and model to model. Like on the iPhones it's possible to get it without rooting the mobiles, while on androids it isn't possible without rooting the phone.

 

So my advise is to at least use and add them to multiple Authenticators, like on mobiles and on tablets and also to save a screenshot of the QR Matrix somewhere on a USB Stick that you can put into a safe in case you need to add it somewhere else.

 

The more secure alternative to simply saving screenshots which could easily be stolen, is to also add all shared secrets to WinAuth (Authenticator Tool that runs on Windows), because you can protect them with a Hardware Security Key there and the tool supports exporting the whole database and even is able to display the original QR on screen in case you need to scan it with a new mobile etc.

 

So even if it may hurt TOTP/HOTP solutions aren't 2FA at all, they are fake 2FA that don't provide any more security than a additional password. And the shared secrets can also be stolen from the servers or mobiles along with stored passwords. Of course you also can steal Hardware Security Keys, but the difference is they can only be stolen physically what you will notice, while the shared secrets of the TOTP/HOTP can easily be stolen without you knowing, just like passwords.

 

And so if companies want to provide 2FA they should simply support FIDO U2F and forget all those fake 2FA methods like EMAIL, SMS and App based TOTP/HOTP with shared secrets that can be stolen directly from the servers.

 

And it's nice that MS now supports FIDO U2F and FIDO2 but it's a bit useless if it intentionally only works with Edge, it should work with every browser that supports it and that are almost all now a day, because I don't want to be dependent of a specific browser. Further I don't want to also have less secure methods (EMAIL, SMS, APP) TOTP/HOTP, Phone or backup codes active that could be abused to downgrade security if I already have several FIDO U2F or FIDO2 Hardware Security Keys registered.

 

I currently own about 8 FIDO U2F Keys and about 4 FIDO2 Keys where one of them has a finger print sensor to secure the FIDO2 credentials. Unfortunately 99% of all sites and services still only supports fake TOTP/HOTP 2FA or even worse nothing at all. It also may be hard, but such companies somehow reminds me anti-vaxxers and if I would be an insurance company I wouldn't pay a cent in case of a incident if they not at least support FIDO U2F.

Brass Contributor

Yeah @Nirantali that is valuable information, thank you.  I was not even aware about the QR codes as a lot of this is new to me (and others, it seems) so taking a screenshot didn't even cross my mind, neither did WinAuth which I was not aware of at all.  In fact, the whole obvious impact of backing up codes didn't take root (pun intended? :>) until after I had all my codes entered and the QR codes were long gone.  In any case, your valuable insight is a little too late in my particular case, as I ended up going with Authy which allows you to backup and sync your codes.

 

I am in agreement with you however that this seems to be a painful leg towards FIDO2 which sounds very secure and legit.

 

Along such lines, a little horror story making the rounds today: https://www.zdnet.com/article/sim-swap-horror-story-ive-lost-decades-of-data-and-google-wont-lift-a-... 

 

Glad to not see MSFT anywhere in there. :beaming_face_with_smiling_eyes:

Iron Contributor

@Jonas Back 

 

Jonas,

 

I have picked up the Feitian BiosPass2 K27 https://www.ftsafe.com/Products/FIDO2

----

 

Windows 10 Fido2 Key usage notes:

Disclaimer: I am NOT in the AzureAD Fido2 preview please don't assume that anything I am saying is correct for when AzureAD supports Fido2. (I hope not)

 

The out of the box experience with just Windows 10 1903 Pro/Enterprise has been as follows:

  • BAD:  Windows 10 so far does not seem to support using Fido2 Key as part of the windows login process (i.e. <ctrl-alt-del> OR when a elevation of privilege's occurs [such as Run As Administrator])
  • GOOD: WebAuthN with Edge and EdgeChromium-Dev-channel build is working for websites that support AuthN login. 

 

I really hope that AzureAD Fido2 can support the <ctrl-alt-del> login scenario even though Microsoft Accounts aren't doing so.

 

 

Iron Contributor

@Nirantali 

 

If I am reading your post correctly you cover two topics:

 

Security:

You indicated that the Microsoft Authenticator app is not necessarily very secure on a mobile device because.. (paraphrasing here) it isn't hardware secured and it is only as secure as the underlying mobile platform -- and if that platform is weak, or rooted/jailbroken then all bets are off.

 

You recommend hardware security using U2F (at a minimum?) physical keys, and if you need to use a softkey to use something like WinAuth which can be configured to leverage U2F hardware to unlock the "vault".

 

Backup of Softkeys:

But if you do use softkeys, all you need to do is either--

  1. Screenshot / Archive the QR code or initialization screen
    or
  2. Root the android device or even less effort on iPhone to get access to the Microsoft Authenticator database of shared-keys?

 

If I am reading your information correctly then the Microsoft-Authenticator or any non-hardware secured software tokens is... well not so secure. Scary.

 

Thank you for sharing and please let me know if my re-phrase/summary is incorrect.

 

(I am really hoping that I am misunderstanding you re:  Microsoft Authenticator)

Copper Contributor

@Neil Goldstein 

 

You did read correctly.

 

The simple fact that shared secrets are used already makes them less secure, because like they are called already they are shared and saved on your side (Mobile, Tablet, Apps, Screenshots,..) and on the servers. This issues doesn't exist with FIDO U2F/FIDO2 because it's based on public-key cryptography and only the generated public keys are on the servers while the private keys never leaves the hardware.

 

And yeah I consider WinAuth a good solution to backup those shared secrets, because you can easily set it up to encrypt the database with a HMAC that it generates in a yubikey (Everything is automated and only needs some clicks) so that this yubikey then needs to be plugged in and also needs to be touched before you can generate codes and accessing the secret keys etc. So if someone steals the encrypted database, it's near useless. But it alternatively also supports password and/or encrypting it so that the database can only be decrypted on this specific machine. 

 

It also has some very convenient features like generating and showing a QR Matrix for each account you added to the database, so that you easily can add/scan it on other devices/apps if needed and of course exporting the whole database in various formats to back it up on a usbstick that you then as an example can put in a safe.

 

And of course it's also very convenient to have the codes ready to copy&paste without searching the mobile and reading them from screen and type them.

 

Which now also leads us to another security issue with those generated codes, they aren't phishing proof, because everything that a user needs to enter theoretically also can be phished. Just another issue that doesn't exists with FIDO U2F/FIDO2 because there the users don't need to enter anything and everything happens in the hardware.

 

I btw. also have a Feitian BiosPass2 K27 for FIDO2, it's a very good and convenient device.

Copper Contributor

@Mike-E That little horror story could have easily be prevented if the one would have secured his Google Account with FIDO U2F which is available since some years already now. Twitter now also supports FIDO U2F since a while, but their implementation is a bit lousy because they still only support the registration of only one security key, which could become an issue if that one gets lost or breaks.

Copper Contributor
I am somewhat new to this, but recognise the significance of the world having better security via having their windows 10 devices as a FIDO2 certified authenticator with Hello! BUT , I am confused as to whether this means that we would or wouldnt still need to have dedicated yubikey type security keys? I recognize that this perhaps depends on the security level a user/company requires, but as a "regular" person, keeping a somewhat-secure life online and IRL, wanted to understand why even the Feitian BiosPass2 is still needed since my Lenovo laptop has a built in fingerprint reader for windows Hello and thus the FIDO2 authentication? Again, apologies if the question is too light, but my google searches didnt find this answer. Thanks. "Regular" person = (ie already 1password for 3 years, all drives are bitlockered, using 2FA where needed, but nothing like $100m to steal etc.)
Copper Contributor

@Yogesh Mehta we are looking at implementing the Yubikey 5 series and have two set up in test now.  I saw your ignite presentation about windows hello from 2017 but it seems like several of the features mentioned then don't work with the security keys.  The windows "components/windows hello for business/configure device unlock factors" in group policy does not seem to apply to security keys.  There doesn't seem to be a way to dynamic lock the computer when the security key is removed from the device.  And I don't see a way to discourage users from leaving the key plugged in to their primary device.

 

 

 

Copper Contributor

 عمل اكثر من رائع تطوير ويندوز 10 والوصول بدون كلمات مرور شكرا لكم فعلا

Version history
Last update:
‎May 07 2019 07:54 AM
Updated by: