ThirdSpace ThirdSpace
ThirdSpace
Close 0 Reset Search Run Search What are you looking for? Type at least three characters to search. Filter Search Results
  • All Content
  • Blog
  • Case Studies
  • Event
  • Resources
  • News
  • Careers
  • Access Centre
  • Technologies
  • Workshops
  • Solutions
  • People
Load more
24 July 2019

FIDO2 – Making Microsoft’s passwordless authentication a reality

  • Enterprise mobility + security
  • Windows 10
David Guest

Passwords. We all need them, we all forget them. But is a day coming when we can forget them forever?

For years, passwords have been the cyber security requirement.

Everyone needs them and they must be secure, strong and change every 30 days, or they need to be secure and long and never change, depending on who you talk to.

It seems like the rules for passwords change every month, but ultimately, whichever belief you subscribe to, passwords are vulnerable and thereby hotly sought after by attackers.

It’s no surprise then that we’ve seen an increased movement toward passwordless authentication, particularly from Microsoft.

The rise of the password

Passwords have been used as a method of gaining access to data since the early 1960s. They really came to the forefront in 1974 when they were added to Unix based systems to identify specific users.

In the 45 years since then passwords have become:

  • Longer
  • More complex
  • Changed regularly
  • Involved different character types
  • Longer
  • Changed more regularly
  • Longer
  • Changed less regularly
  • Never expiring

The only thing that is consistent is that the password has got longer (and longer, and longer).

As passwords have become longer and the time between password changes shrinks, users will always use passwords that are easier to remember.

All of this is old news of course, we have known the issues with passwords for years. The NCSC and NIST now recommend that a password policy should:

  • Have no complex requirements
  • Not expire regularly
  • Only change if the account is believed to be compromised
  • Be a minimum length (and not too short)

Mobile phones have moved away from using a password (i.e. PIN) for access. Apple introduced TouchID with the iPhone 5S back in 2013 and some PCs have had fingerprint readers for even longer.

One of the problems with this is that the authentication is actually performed against the device rather than against an authentication service. This means that the password-less authentication is not consistent. If a user gets a new device, they have to re-register their identity against the device using their ID and password (sometimes with a second factor of authentication).

But lately, we’ve seen a number of changes come together that could enable a passwordless experience.

Passwordless authentication: Is it possible?

Different forms of authentication have been in place for many years. Smart-cards, certificates, biometrics etc. but they all have their own shortcomings. With a smart-card or biometrics, for example, the device that is handling the authentication must be equipped with the right type of reader.

More recently, Microsoft have brought out Windows Hello, which allows a user to authenticate to a device using their face. Other manufacturers also have a similar facial recognition for their devices or use fingerprints to prove identity.

Ideally, we need a method that can work across an environment without requiring any additional hardware on each device. We should always ensure that there is a Trusted Platform Module (TPM).

In some ways, the Microsoft Authenticator app can be used to prove identity without a user needing a password. Within a browser, as a user signs in to a web service, they are asked for their ID and are then prompted to select a matching number from the authenticator app.

Once this test has been passed the user is allowed into the service.

However, this is still not an ideal solution.

Watch conditional access and multi-factor authentication webinar

View 'Safeguard your data and applications with conditional access controls and multi-factor authentication' and discover:

  • Why conditional access and MFA technologies are essential
  • What actions you can take right now to mitigate the risk of a breach
Watch on-demand now

Enter FIDO2

You may have seen that there has been a lot of noise lately around something called FIDO2.

FIDO2 is the overarching term for a new set of specifications. It enables users to leverage common devices to easily authenticate to online services in both mobile and desktop environments.

These specifications are the World Wide Web Consortium’s (W3C) Web Authentication (WebAuthn) specification and FIDO Alliance’s corresponding Client-to-Authenticator Protocol (CTAP).

This means that a user who has a FIDO2 compliant authentication can access web services without needing to re-authenticate.

On the 10 July 2019, Microsoft announced the support of FIDO2 for authentication to Azure AD (public preview). This includes authentication to Windows 10 through the use of Windows Hello for Business.

When configured on a Windows 10 workstation the option to use a FIDO2 key is visible on the login screen.

Once the workstation has been configured ready for use the user can then configure their specific key directly.

The configuration is done through the security information page in the user’s profile.

There are two basic types of FIDO2 key. One uses a PIN for identification while the other uses biometrics.

A user can now authenticate to Windows 10 (minimum version of 1809) directly using the FIDO2 key, and from there access any services directly through Windows 10.

With this in place, a passwordless future is no longer that far away. The use of Windows Hello for Business to support different authentication types, including the removal of the password requirement, will allow for that future to arrive much sooner.

 

Watch this short video to see a demonstration of a FIDO2 login.

Passwordless achieved? Well, almost…

There are, however, some current limitations within the preview:

  • Administrators cannot pre-configure a key on behalf of a user
  • The removal of the key from the device does not cancel the session (log the user out)

Even with these limitations, the use of FIDO2 to provide authentication is something that should be looked at.
We all want a world where users can authenticate safely and easily.

If we can remove the password while keeping the security at its current level (or pushing it higher) then this is something that we should be adopting as soon as possible.

Next, watch our multi-factor authentication and conditional access webinar on-demand to see what other technologies you should be taking advantage of to prevent compromised credentials.

You may also like...

Blog

iPadOS: Update your conditional access policies and keep your devices secure

Blog

The definitive guide to Azure Sentinel: Everything you need to know to get started with Microsoft’s cloud SIEM

Blog

VIP Protection – Providing a digital bodyguard with Microsoft 365

Recent Blog Articles

View All
Author
David Guest
Solution Architect and Technology Evangelist
Learn More

Apply for a free Security and Privacy Workshop

Envision a secure future, with appropriate data protection and breach response plans.

Apply for free workshop
Award-winning solutions Award-winning solutions

Eight-time winner of the Microsoft Partner of the Year Award for Identity Management, Enterprise Mobility, and Security and Compliance.

ThirdSpace Please upgrade your browser

You are seeing this because you are using a browser that is not supported. The ThirdSpace website is built using modern technology and standards. We recommend upgrading your browser with one of the following to properly view our website:

Windows Mac

Please note that this is not an exhaustive list of browsers. We also do not intend to recommend a particular manufacturer's browser over another's; only to suggest upgrading to a browser version that is compliant with current standards to give you the best and most secure browsing experience.