Today's blog is about Microsoft Passport, a new set of features in Windows 10, Microsoft Account, Azure AD and (soon!) Windows Server AD aimed at eliminating passwords once and for all. Microsoft Passport has been submitted to the Fast Identity Online (FIDO) Alliance (specifically the FIDO 2.0 working group) for consideration in the upcoming 2.0 specification.
We're going to focus on how Microsoft Passport with Azure AD eliminate the need for using a password to login to your PC and to the cloud services Azure AD manages for you.
This post is written by Hari Samrat on my team. Hari will walk you through Microsoft Passport, the new credential system in Windows 10, and how it works with Azure AD.
And as always, we'd love to hear your feedback on this so please fire away in the comments section.
Alex Simons (Twitter: @Alex_A_Simons )
Director of Program Management
Microsoft Identity and Security Division---------------------------------------------- Hi there, I am Hari Samrat - one of the Program Managers working on Azure AD support in Windows 10. Continuing the coverage of Azure AD and Windows 10, I want to talk about how a new credential in Windows 10 - Microsoft Passport – works with Azure AD to reduce reliance on passwords in your organization.
Creating and using Passport
Creating Passport: Upon first login to their device the user is prompted to create a gesture. After they create the gesture, Windows creates a private-public key pair and registers the user's public key with Azure AD while the private key is protected by the device's TPM or encrypted with a locally derived secret. A signed attestation blob, that is used to validate the TPM, is sent to Azure AD along with the public key to complete the registration. Using Passport: The authentication flow is initiated by the Windows client. The user is asked to provide their gesture that unlocks the TPM and then an authentication request is sent to Azure AD. Azure AD responds by sending a nonce to the Windows client, which is then signed using the user's private key and sent back to Azure AD. When Azure AD gets the signed nonce, it looks up the public key and uses it to verify the signature. If the signature is verified, Azure AD returns an authentication token.
Signing into the PC.
Then you specify your PIN:
Bingo, you are done! You can sign into Windows using your PIN and get single sign-on to all the applications you use Azure AD to manage. Here's what happening under the hood:
Detailed flow of Passport Setup
Sign in screen after Passport is setup
Detailed flow of the auth using PassportAfter sign-in, Windows sends an auth request Azure AD that does not contain either a username or secret. Azure AD responds with a nonce. Windows asks the TPM to sign the nonce and sends it back to Azure AD along with the key ID that was sent by Azure AD during setup. Azure AD looks up the key using the key ID and verifies the signed nonce using the key.
|Microsoft Passport enabled||Passport is enabled by default. If for some reason you need to disable Passport on some devices you can use this setting to turn it off.|
|Hardware TPM required||The default behavior during setup is to try to create Passport using a hardware TPM. If this fails or if the TPM is not available, then software encryption is used. If you wish to restrict the use of Microsoft Passport to devices with a hardware TPM only, then turn this on.|
|Pin complexity||The default gesture for Microsoft Passport is a 4-digit numeric PIN. Use this policy if you require a more complex PIN.|
|Enable biometrics||You can turn off biometrics using this, by default this is ON.|
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.