Microsoft recently released a whitepaper on password-less authentication, and it presents a good overview of Microsoft’s motivations and methodology for more secure and nearly frictionless authentication in modern computing.
The renewed emphasis on eliminating passwords and replacing them with device-dependent, multi-factor authentication technologies resurfaces the fact that passwords aren’t helping eliminate existing and new attack vectors as they remain vulnerable to bad actors and have become an endless source of pain both for IT and end-users.
Microsoft wants to get the word out that it’s working on the hardware and software necessary to enable password-less authentication across its ecosystem and make their case for the journey. Progress is being made across both enterprise and consumer electronics, such as smartphones and modern apps, but many of the solutions lacked good standards and in some cases, polish until recent years.
Not surprisingly, the current generation of technologies that support password-less authentication has rough edges when dealing with legacy applications that don’t integrate with SAML.
Passwords Are Relics From A Previous Era
Password-less authentication provides another compelling reason for organizations to start their migration to Windows 10 and Azure Active Directory sooner rather than later, something I’ve been preaching for years. So let’s get started.
Back when IT systems were built entirely using a local area network, all the devices in that environment implicitly had a great deal of trust because people needed physical access to the device and that meant access to the building or office space.
In a purely LAN environment, end-user identity authentication and access to resources can cost-effectively be handled with a username and password pair because a bad actor would need to bypass physical security and staff to gain access to a device.
One of the big problems with passwords (more so back in the day) is that they can be easily shared with other employees or family members or whoever and there is no way to differentiate between them using just the username and password pair.
As technologies and expectations evolved, organizations started asking us to build virtual private networks, virtual desktops and provide webmail access, all of which come with their unique verification requirements to ensure that the end-user was legitimate.
The industry responded by developing hardware tokens, small, physical devices carried by end-users that provide an alternative form of authentication that can be easily incorporated into the authentication workflow by using simple alphanumeric codes. The idea was to keep the token on a keychain or an employee identification card, so it was always with a legitimate end-user. Unfortunately, hardware tokens are also susceptible to end-users sharing their credentials with other employees or losing the token or having it stolen.
In one presentation given years ago at a Briforum event, a speaker shared just how far users would go to circumvent secure IT procedures. In one extreme case, a user put their security token on an unsecured webcam, so they wouldn’t have to carry the fob.
We must understand that end-users make bad decisions (intentional or otherwise) when it comes to IT security, so I’ll take this moment to stress that frictionless authentication needs to avoid and deter unsafe practices.
For these and other reasons, password-based identity authentication has been a concern of security experts for some time, and, now that corporate resources are becoming more accessible via the Internet through the use of cloud identities and cloud services, the risks and costs associated with relying on passwords have begun to outweigh their usefulness.
Alex Weinert, with Microsoft’s Identity Division, argues that passwords don’t matter because most attacks involve stealing passwords through phishing or other attacks. In the small minority of cases when passwords are successfully guessed, typically through brute force techniques, they come from lists compiled of the most commonly used passwords. So, if the end-user is not using a well-known or widely used password, it is likely effective against only a small portion of the attacks.
Fortunately for many of us, modern identity systems such as Azure Active Directory Identity Protection are designed to protect against many of the brute force mechanisms used to compromise accounts.
As more organizations adopt cloud-based productivity solutions and BYOD capabilities for end-users, the attack surface dramatically increases. Username and password pairs are insufficient to provide the kind of transparency and utility needed to accurately distinguish between legitimate users and bad actors.
From an operations perspective, password management and support create significant amounts of work for every IT department and downtime for end-users as they work through the reset process. Even with self-service password reset, end-users are still losing productivity as they navigate the reset process and sometimes they need assistance with the process from the helpdesk.
End-users have had to memorize more complex password rules in recent years, also, continuously having to change their passwords. In the end, these circumstances have led to many forgotten passwords resulting in end-users choosing weaker passwords (that are easier to remember) and cumbersome user experience (UX).
Things only get worse for contractors that service multiple customers and who need multiple logins in numerous directories to perform their day to day tasks.
One of the goals with password-less authentication is to eliminate the need for passwords as a primary authentication method and eliminate the IT costs and poor user experience associated with them.
Multi-factor authentication (MFA) has emerged as the next phase of security, and according to Microsoft, reduces the probability of a compromise by up to 99.9%. Currently, most MFA authentication requires that the user has a phone, smartphone app, or a token device.
Biometric attributes are looming on the horizon of MFA authentication; however, most consumer-grade electronics don’t yet support the kinds of certification needed for all authentication use cases. On the flip side, most enterprise devices don’t yet natively support biometric authentication. The devices that do come with this capability are the newest generations of mobile Windows laptops and hybrid device form factors.
Therefore, in the meantime, many organizations are turning to smartphone apps (e.g., Microsoft Authenticator app) and security keys as their goto solution for MFA authentication. The newest generation of security keys come with higher security certifications, which confer a greater degree of trust that the authentication is valid.
While MFA is just starting to gain adoption within many organizations, Microsoft’s long-term vision of security eliminates passwords from all forms of end-user authentication. A bold vision that many welcome.
Password-less Security And Vendor Participation
Password-less authentication is described in the whitepaper as “a form of multi-factor authentication that replaces the password with a secure alternative. This type of authentication requires two or more verification factors to sign in that are secured with a cryptographic key pair. The device creates a public and private key when registered. The private key can only be unlocked using a local gesture such as a biometric or PIN.”
Deploying password-less security solutions requires many new technologies, so it is essential to thoroughly research and vet your specific use cases with the technologies used in those scenarios.
According to Microsoft, they already offer solutions based on platform, hardware, or software that you can try out today. It is worth taking their claim with a grain of salt because password-less capabilities are still only a preview feature in Azure AD.
New standards like Web Authentication API (WebAuthN) and Fast Identity Online (FIDO) is enabling password-less authentication beyond Windows and Azure AD.
FIDO2 is an example of Microsoft working with an alliance of vendors to create a set of open standards for password-less authentication. Microsoft is actively working to enable adoption across an organization’s entire IT ecosystem by enabling capabilities in products such as Azure Active Directory and Windows 10. Hardware support is at the core of the FIDO2 approach.
Windows Hello for Business incorporates FIDO2 capable hardware keys, which opens up an inexpensive solution for users who need quick access on shared devices securely through the use of USB tokens.
For Windows devices assigned to a specific user, I believe that Windows Hello for Business with its facial recognition is an ideal authentication method. Users are easily able to enroll their device and use secure biometrics. If you don’t have a Windows Hello capable camera, some vendors provide fingerprint readers, which are also reasonably inexpensive and frictionless to use.
Unlike most Android and iOS devices, the biometric scanners used with Windows Hello appear to be high quality, which in turn delivers better quality and trustworthy authentication.
Most of the pushback I hear with regards to Windows Hello for Business is the use of a device PIN, which is often confused for a password. It is currently industry practice that when biometric authentication isn’t working, a device PIN is used for logging in or the end-user can fall back to their network password. This behavior mirrors what consumer devices have adopted.
Smartphones fallback to a PIN if the biometric authentication fails and you must use a PIN to access the device. Microsoft has made it clear that Windows 10 is to behave more like a mobile operating system; as such, having a device PIN to log in makes sense for Windows devices.
The migration to password-less authentication is both attempting to mitigate risk and, more importantly, enabling single sign-on (SSO) or seamless sign-on as it is more recently referred to. Having a seamless logon to the device is nice, but without integration, with your applications, this effort to implement password-less is going to have limited impact.
Mainly you want the user to log into their device once and not be prompted to authenticate again unless something suspicious is detected, at which time other security mechanisms can kick in to further validate the user.
The good news is that configuring your directory for SSO is relatively easy. Where it gets laborious (and sometimes expensive) is going through your entire application portfolio and reconfiguring them to use Azure Active Directory for authentication.
Not to sound like a fanboy, but I choose Azure AD with conditional access and machine learning defenses powered by Microsoft’s Intelligent Security Graph to protect my applications, and I recommend you take the leap if you haven’t already.
When it comes to authenticating and securing the vast expense of third-party SaaS providers, it’s like the wild west out here. Many major SaaS providers started before cloud identities had matured and used their authentication mechanisms. Other times the customer wasn’t ready to use cloud identities or didn’t see the value in properly onboarding the SaaS application with Azure AD integration enabled.
So we are often left with a challenge with migrating end-users’ identities from legacy configurations to cloud identities, some vendors can reconfigure their app relatively painlessly others might charge you a small project sized feed to undertake the migration. Depending on the issues, the migration could take time and some capital investment to make.
One final point about password-less authentication, keep UX at the forefront of your vetting process. I recommend that you pilot multiple solutions extensively and collect feedback. I’ve found some devices are more troublesome than others, and, in the end, the goal (at least for Microsoft) is to create a nearly frictionless authentication process for the user.
Start by deploying MFA to everyone in IT right away. You’ll immediately harden those devices and resources, and the experience will give the team a much deeper understanding of how MFA affects UX before the users do. I’ve found MFA using authenticator apps to be an easy win. You can then take that one step further to password-less, which isn’t much more complicated – from a technical perspective.
The takeaway point is that you don’t need to transition to password-less authentication all at once, there are smaller, intermediary steps you can take today.
I do encourage every organization to adopt MFA as a minimum baseline, especially if there are authentication use cases that require biometric or other, more sophisticated authentication mechanisms. In those contexts, let end-users do so in a self-serve fashion.
The big picture win is to make it easy for end-users to give up the habit of relying on overly complicated passwords to protect their device and account. Let’s make passwords meaningless and move to more effective authentication schemes!
Additional Resources to Get Started With Password-less Authentication
For a deep dive on why your password isn’t as useful as you may think it is, I would suggest reading Your Pa$$word Doesn’t Matter by Alex Weinert.
Next, are some other articles I suggest to get more hands-on with the technology.