Road to passwordless: 1 year in
Passwordless was one of the big buzzwords in 2020 when you think about Identity & Access. The goal of it is pretty simple: remove all passwords in the day-to-day life of your end-users and remove them in your directory. I have blogged about it in 2019 and explained that the road to passwordless isn’t as easy as some marketing material might show it. During the last year, I have been trying to passwordless myself and wanted to share my progress and point out some difficulties and advantages.
There are a lot of different methods for passwordless login inside the Microsoft (365) world:
- Windows Hello for Business
- Microsoft Authenticator
All have their own use case and (dis)-advantages. I have been using all methods off and on for the past year. During this blog post I’ll share my thoughts about the different methods and how I use each of them.
Windows Hello for Business
Windows Hello for Business (WHfB) is the passwordless authentication method I use each day. My primary work device is a Surface Book 2, which has a face recognition sensor to unlock the device by just looking at it. It’s comparable to FaceID for an iPhone and works really well. No more typing your password every time you want to login, from now on login is really smooth. Granted, sometimes the sensor fails to start or recognize your face in which case you have use a different authentication method.
There are a few different authentication options for Windows Hello: Face, fingerprint and PIN. WHfB only makes sense IMO if your devices have a fingerprint or face sensor available. Otherwise users are just replacing their password with a PIN (which is more convenient, but not as easy as face/fingerprint).
The awesome thing about WHfB login is that it also a valid PRT MFA claim. This means that a user who logins in a device with a WHfB authentication method doesn’t have to perform MFA for his logins on his corporate account (on applications or web browsers). A user will have seamless login into all corporate applications. (Side note is that the experience isn’t always 100%, some applications don’t pick up the MFA token and still require you to login with username/password.)
For most organisations, enabling Windows Hello for Business is a really good first step to a world of passwordless.
Microsoft Authenticator App
The Microsoft Authenticator App is probably my favorite passwordless method of them all. The idea is really simple. Instead of filling in your password, you see a number on your screen. At the same time, you will receive a pop-up on your mobile phone. Here you will see three numbers, where one will match with the one on the logon screen. Select the correct one and you are logged in.
On my business laptop, I rarely have to login (because of SSO and WHfB), but when I do this is a really nice fallback method. It makes logging in convenient and quick. However, there are a few downsides to this:
- This method requires your mobile phone to be registered to your organization. Because a mobile phone can only be registered to one organization, you can only enable this for one account. As a consultant, I have lots of accounts for all my different customers but this method is not usable here.
- As this method is still in preview, it’s not functioning in all scenarios yet. I was setting up a MacBook last week. When logging into my Edge Chromium profile it didn’t provide an option for the passwordless method, while logging into Outlook did provide that option.
This is a bit of a bummer as this still requires you to ‘know’ your password.
This method needs to be turned on by an administrator and an end-user still has to enable passwordless authentication in his Authenticator app.
FIDO2 Hardware tokens
FIDO2 is not an authentication method on it’s self, it’s an open standard to support passwordless authentication. In recent years, a lot of hardware FIDO2 tokens have surfaced on the market. These hardware tokens are devices that support passwordless authentication. Most of the time, you connect them to your device through USB, but there are also devices which support NFC or Bluetooth.
Inside of the Microsoft realm, hardware tokens are supported for WHfB or AAD authentication. Each devices has a PIN code associated with it. When you are logging in, you choose the correct account and enter the PIN.
Some of the newer devices also support biometric authentication, like the Feitian K26. Instead of requiring a PIN, you need to provide your fingerprint to authenticate. The process is very much the same like unlocking your phone with your fingerprint.
Feitian was kind a enough to send me some keys a few months ago and I have been playing with these for a while. For me, biometric keys are a must. Otherwise, you are trusting your users to protect their AAD account with a 4/6 digit PIN code (which end-users will probably reuse in other places). These codes could be easily phished or retrieved by ‘spying on the user’. An attacker with physical access to the key and the PIN then has access to the account.
Biometric keys protect the identity of the user by requiring biometric proof it is the user that’s logging in. This makes the entire solution much safer.
Unfortunately, there is no way to disable the PIN code as of know. I understand the reasoning behind this, (just like with WHfB) you need a fallback method when your fingers are wet for example. But I would love some control on the PIN complexity and lifetime.
I always carry my K26 with me. I don’t use it for my work account (because WHfB and the Authenticator app have me covered), but I use it extensively to manage the accounts I have at my customers. A FIDO2 key allows for you to add multiple accounts to the same key, which allows for easy authentication to all your customers.
Just like the Microsoft Authenticator App, this method is also still in preview and doesn’t support all the sign-ins possibilities (like mobile and Autopilot) yet. I am really looking forward to the future of FIDO2 because this allows for easy passwordless authentication independent of the computer your are on. In shared computer scenarios (like hospitals) this allows users to easily log into any (Hybrid) Azure AD Joined computer.
When visiting customers, one of the main challenges I see is the application support. For passwordless authentication to really work, all your applications need to support it.
The easiest way to do this, is to federate all your applications to Azure AD. Azure AD supports a bunch of applications out of the box. On-premises apps can be federated using the Azure AD Application Proxy, which supports a wide range of authentication methods.
While most organizations will not be able to cover every app with these capabilities, your should be able to cover more than 80% which enables your users to use their password far less often.
This blog post was a combination of my own thoughts and the basics of passwordless authentication. I, myself, am in love with passwordless and use it everyday. It has come so far that I have saved my corporate password into my LastPass because I use it so little.
I personally use all three methods myself because there is no method ‘to rule them all’. This makes the entire solution not production ready in my opinion. I would, however, encourage every IT administrator to explore your own journey to passwordless. Try it by enabling Windows Hello for Business and the Microsoft Authenticator App. Explore what is and what is not yet supported in your own environment. If you are happy with the result, you could start inviting some of your users into the solution to see how they think of it.
While I think it will take years before organizations will be fully passwordless, I do feel like it’s something that every organization should at least look into and try.
How is your passwordless journey going? Comment below or let’s discuss through Twitter!
Great write up and sharing your experience. Thing i personally miss is which options can be used to login into Windows? does ejecting the fido2 key lock Windows? Which option can unlock Windows ? I miss the trusted signal (bluetooth) option ?
Thanks for the feedback, this post was never really meant to provide a deep dive. More an overview.
So answer your question:
– Only FID2O sign-in is support in Windows
– Removing the key does not lock Windows
– The trusted signal, is not really a passwordless option (although I love the feature myself)
Thanks for your concise post, Thijs. I just listened to this podcast episode which went slightly over my head at some points, but may be interesting for some further background: https://securityunlockedpodcast.com/episodes/all-your-passwords-are-belong-to-us