The latest phase of Microsoft’s war on passwords is the new public preview of support for security keys in its Azure Active Directory (Azure AD) enterprise identity management system.
The new phase means that organizations with Azure AD can let users sign in to Microsoft and business apps using a FIDO2 security key instead of a password.
Microsoft is careful to call it “passwordless” sign-in because it doesn’t actually replace passwords, but offers another way of authenticating that still retains passwords in the mix but demotes their usage.
Microsoft’s white paper on “password-less protection” describes it as “password alternatives”.
“This type of authentication requires two or more verification factors to sign in that are secured with a cryptographic key pair. The device creates a public and private key when registered. The private key can only be unlocked using a local gesture such as a biometric or PIN. Users have the option to either sign in directly via biometric recognition—such as fingerprint scan, facial recognition, or iris scan—or with a PIN that’s locked and secured on the device.”
Nonetheless, Microsoft’s latest methods for authenticating to its apps significantly reduce the day-to-day necessity of using, and therefore remembering, passwords.
Some recent efforts include supporting the WebAuthn standard for signing into Office 365 with biometric sensors that support Windows Hello, and dropping the Windows 10 advice for users within organizations to reset passwords periodically.
Yesterday, Microsoft posted an argument for why “Your Pa$$word doesn't matter”, asserting that password rules are “just a distraction” from things that can help, like multi-factor authentication.
“When it comes to composition and length, your password (mostly) doesn’t matter,” said Microsoft’s Alex Weinert.
Weinert outlined why passwords, to varying degrees, don’t matter for most attacks, including credential stuffing attacks, phishing, keystroke logging, dumpster diving, extortion, and brute force attacks.
“Only in password spray and cracking attacks does the password have any bearing at all on the attack vector,” he wrote.
The move to “passwordless” authentication, using things like Yubico security keys, Windows Hello gadgets, or a smartphone’s facial recognition system, are part of Microsoft’s and organizations’ move to the cloud. The company is trying to strike a balance between the old way of username and password combinations and the difficulties users have in using traditional two-factor authentication.
“Now, all Azure AD users can sign in password-free using a FIDO2 security key, the Microsoft Authenticator app, or Windows Hello. These strong authentication factors are based off the same world class, public key/private key encryption standards and protocols, which are protected by a biometric factor (fingerprint or facial recognition) or a PIN. Users apply the biometric factor or PIN to unlock the private key stored securely on the device. The key is then used to prove who the user and the device are to the service,” said Alex Simons, Corporate VP of program management at Microsoft’s Identity Division.
Microsoft today also rolled out a passwordless feature for preview testers of the Windows 10 20H1 release, which expected to be out around March or April next year.
“Go passwordless with Microsoft accounts on your device,” Microsoft told Windows Insider testers on the fast ring in a blogpost today.
Windows 10 insiders testers can enable the feature by going to Settings > Accounts > Sign-in options, and selecting ‘On’ under ‘Make your device passwordless’.
Doing this will make all Microsoft accounts on the Windows 10 device capable of signing in via Windows Hello face, fingerprint, or PIN.