ThirdSpace ThirdSpace
ThirdSpace Contact Us
Close 0 Reset Search Run Search What are you looking for? Type at least three characters to search. Filter Search Results
  • All Content
  • Blog
  • Page
  • Case Studies
  • Event
  • Resources
  • News
  • Careers
  • Access Centre
  • Technologies
  • Workshops
  • Service
  • Solutions
  • People
Load more
24 July 2019

FIDO2 – Making Microsoft’s passwordless authentication a reality

Profile shot of David Guest.
Written by David Guest

Passwords. We all need them, we all forget them. But is a day coming when we can forget them forever?

For years, passwords have been the cyber security requirement.

Everyone needs them and they must be secure, strong and change every 30 days, or they need to be secure and long and never change, depending on who you talk to.

It seems like the rules for passwords change every month, but ultimately, whichever belief you subscribe to, passwords are vulnerable and thereby hotly sought after by attackers.

It’s no surprise then that we’ve seen an increased movement toward passwordless authentication technologies like YubiKey.

The rise of the password

Passwords have been used as a method of gaining access to data since the early 1960s. They really came to the forefront in 1974 when they were added to Unix based systems to identify specific users.

In the 45 years since then passwords have become:

  • Longer
  • More complex
  • Changed regularly
  • Involved different character types
  • Longer
  • Changed more regularly
  • Longer
  • Changed less regularly
  • Never expiring

The only thing that is consistent is that the password has got longer (and longer, and longer).

As passwords have become longer and the time between password changes shrinks, users will always use passwords that are easier to remember.

All of this is old news of course, we have known the issues with passwords for years. The NCSC and NIST now recommend that a password policy should:

  • Have no complex requirements
  • Not expire regularly
  • Only change if the account is believed to be compromised
  • Be a minimum length (and not too short)

Mobile phones have moved away from using a password (i.e. PIN) for access. Apple introduced TouchID with the iPhone 5S back in 2013 and some PCs have had fingerprint readers for even longer.

One of the problems with this is that the authentication is actually performed against the device rather than against an authentication service. This means that the password-less authentication is not consistent. If a user gets a new device, they have to re-register their identity against the device using their ID and password (sometimes with a second factor of authentication).

But lately, we’ve seen a number of changes come together that could enable a passwordless experience.

Passwordless authentication: Is it possible?

Different forms of authentication have been in place for many years. Smart-cards, certificates, biometrics etc. but they all have their own shortcomings. With a smart-card or biometrics, for example, the device that is handling the authentication must be equipped with the right type of reader.

More recently, Microsoft have brought out Windows Hello, which allows a user to authenticate to a device using their face. Other manufacturers also have a similar facial recognition for their devices or use fingerprints to prove identity.

Ideally, we need a method that can work across an environment without requiring any additional hardware on each device. We should always ensure that there is a Trusted Platform Module (TPM).

In some ways, the Microsoft Authenticator app can be used to prove identity without a user needing a password. Within a browser, as a user signs in to a web service, they are asked for their ID and are then prompted to select a matching number from the authenticator app.

Once this test has been passed the user is allowed into the service.

However, this is still not an ideal solution.

Webinar: A guide to deploying passwordless authentication

Webinar: A guide to deploying passwordless authentication

Passwords simply don’t cut it anymore – organisations need to develop stronger authentication without compromising the user experience. Watch now to discover:

  • How (and why) passwordless solutions work
  • Key steps to consider on your passwordless journey
  • Demos of Microsoft's passwordless tools in action
Watch now

Enter FIDO2

You may have seen that there has been a lot of noise lately around something called FIDO2.

FIDO2 is the overarching term for a new set of specifications. It enables users to leverage common devices to easily authenticate to online services in both mobile and desktop environments.

These specifications are the World Wide Web Consortium’s (W3C) Web Authentication (WebAuthn) specification and FIDO Alliance’s corresponding Client-to-Authenticator Protocol (CTAP).

This means that a user who has a FIDO2 compliant authentication can access web services without needing to re-authenticate.

On the 10 July 2019, Microsoft announced the support of FIDO2 for authentication to Azure AD (public preview). This includes authentication to Windows 10 through the use of Windows Hello for Business.

When configured on a Windows 10 workstation the option to use a FIDO2 key is visible on the login screen.

Once the workstation has been configured ready for use the user can then configure their specific key directly.

The configuration is done through the security information page in the user’s profile.

There are two basic types of FIDO2 key. One uses a PIN for identification while the other uses biometrics.

A user can now authenticate to Windows 10 (minimum version of 1809) directly using the FIDO2 key, and from there access any services directly through Windows 10.

With this in place, a passwordless future is no longer that far away. The use of Windows Hello for Business to support different authentication types, including the removal of the password requirement, will allow for that future to arrive much sooner.

Watch this short video to see a demonstration of a FIDO2 login.

Passwordless achieved? Well, almost…

There are, however, some current limitations within the preview:

  • Administrators cannot pre-configure a key on behalf of a user
  • The removal of the key from the device does not cancel the session (log the user out)

Even with these limitations, the use of FIDO2 to provide authentication is something that should be looked at.
We all want a world where users can authenticate safely and easily.

If we can remove the password while keeping the security at its current level (or pushing it higher) then this is something that we should be adopting as soon as possible.

Next, watch our multi-factor authentication and conditional access webinar on-demand to see what other technologies you should be taking advantage of to prevent compromised credentials.

Or watch our passwordless webinar on-demand to see it in action.

Subscribe to the ThirdSpace mailing list and get your free buyer’s guide to Microsoft Enterprise Security

Subscribe to the ThirdSpace mailing list and get your free buyer’s guide to Microsoft Enterprise Security

Submit your business email to join our mailing list and we'll send you 'A buyer’s guide to Microsoft Enterprise Security'.

Profile shot of David Guest.

About David Guest

Solution Architect and Technology Evangelist

As ThirdSpace’s Solution Architect and Technology Evangelist (yes, he knows it’s a long title), Dave has a background in IT that goes back to installing a piece of kit called a Microsoft Softcard in...


You may also like...


Top 4 managed security services benefits – It’s not all about the money


From ‘You’ve been pwned’ to passwordless: Secure access made easy – An interview with Yubico’s Chief Solutions Officer


Microsoft Defender for Office 365 vs Mimecast – evaluate and migrate

Recent Blog Articles

View All
Related topics

Webinar: A guide to deploying passwordless

Passwords don’t cut it anymore – find out how (and why) you should leave them behind.

Watch now

Need some help?

Send us your questions or feedback.

Friendly folks are standing by!

Contact Us
Award-winning solutions Award-winning solutions

Eight-time winner of the Microsoft Partner of the Year Award for Identity Management, Enterprise Mobility, and Security and Compliance.

ThirdSpace Please upgrade your browser

You are seeing this because you are using a browser that is not supported. The ThirdSpace website is built using modern technology and standards. We recommend upgrading your browser with one of the following to properly view our website:

Windows Mac

Please note that this is not an exhaustive list of browsers. We also do not intend to recommend a particular manufacturer's browser over another's; only to suggest upgrading to a browser version that is compliant with current standards to give you the best and most secure browsing experience.