Passwordless has been one of those buzzwords in 2019. So many articles and announcements have been made around it recently.
First there was passwordless through the Microsoft Authenticator app. I personally love this feature as there is no need to buy an extra hardware token and is so easy to set-up.
Then there was the announcement that FIDO2 keys would be supported to sign into AzureAD and Azure AD joined domain computers. At Ignite there were two major announcements.
- Passwordless authentication through the Authenticator can be done without an extra Azure Active Directory Premium license
- Support for passwordless sign-in through a FIDO2 key for Hybrid Azure AD Joined devices was announced and will be available later.
All these features are currently in preview or in development, so a lot of this is still fresh. But the question is, should you be piloting or looking into this?
I actually love the idea behind the passwordless journey. So many dangers and costs are bound to passwords:
- Helpdesk calls for password resets
- Phishing attacks for passwords
- Users complaining they need to change their password every x months
- Users complaining about MFA
- and the list goes on!
The dangers above can be partially solved by some Azure AD features (Conditional Access, SSPR…), but to completely resolve these dangers passwords need to disseapear!
The idea behind passwordless sign-in through the Microsoft application is pretty simple:
- Fill in your AzureAD email
- Find out what number is displayed on your logon screen
- Grab your phone and open the notification
- Select the number on the notification that corresponds to the number on your screen
The main advantage of this method is that it is really simple to setup and no extra hardware is required.
A disadvantage is that this cannot be everywhere at the moment. Windows 10 sign-on Azure AD Joined devices and Outlook mobile are currently not supported (to name a few). This means you still cannot go completely passwordless. But this might be solved when it goes GA.
Another disadvantage is around the security of the device. If you have a user that has not configured a PIN code to unlock his mobile phone, someone with physical access to the phone could get access to the account of a user. This can be solved by securing all phones to be MDM enrolled and requiring a PIN. What I am missing is the ability to require a PIN code to access the Authenticator through a app configuration policies without enrollment. This means that we don’t need complete control over the device before we can require extra security.
Passwordless sign-in through a FIDO2 device in AzureAD was announced a couple of months ago. This method is still in preview and support for Hybrid Azure AD Joined devices is supposed to be coming soon.
Microsoft has announced a few partnership with manufacturers whose keys are supported.
The advantage of FIDO2 sign-in is that a user can go passwordless without the need for a corporate phone. A lot of customers don’t provide all of their employees with phones or some customers have specific use cases. I recently talked to a non-profit organization who wanted to implement MFA, but they work in a prison and aren’t allowed to bring their phones. FIDO2 keys are a great solution here.
In FIDO2, there are biometric and non-biometric keys. Biometric keys require a PIN code and a touch of a verified finger. Non-biometric keys require a PIN code and the touch of any verified finger. The latter isn’t secure IMO because an attacker can breach an account if he has physical access to the key and shoulder watches the PIN code.
Biometric keys aren’t all that prevalent yet, but are the way to go. Even if an attacker has your key and knows your PIN, he can’t login.
Feitan already has a biometric key, Yubikey announced one during Ignite.
Because of two disadvantages:
- Those biometric keys don’t come cheap too and a cost is attached to going passwordless with FIDO2 keys.
- FIDO2 keys aren’t supported for all use cases currently. It doesn’t work on mobile phones yet.
I am still a bit hesitant about implementing it at scale.
Passwordless is the way to go, but we aren’t there yet though. Should you completely ignore passwordless for the time being then?
No, I don’t think so! I really think you should invest in the research and find out how you can make your entire company go passwordless. Going passwordless is a long journey (yeaers) and can seem possible in larger corporations.
Smaller, IT-savvy companies can implement it already. At The Collective Consulting, we are almost completely passwordless. We use Windows Hello for Business Sign-in on our Windows 10 laptops and use Microsoft Authenticator passwordless sign-in for most of the other use cases.
If you are looking into it currently, I would recommend first trying out the Microsoft Authenticator passwordless, because it’s really easy to set-up, lower implementation cost and is currently supported in more cases.
However, when Biometric keys have matured (I wonder if mobile support for biometric keys through NFC is possible), this will be the way to go!
Where are you on your passwordless journey? Are you looking into it, do you have some blockers? Contact me and let’s start this discussion!