Microsoft supports passwordless capabilities in Windows 365, Windows Hello for business, and Microsoft Authenticator
On World Password Day, Microsoft described important passwordless milestones for a range of its products, in an announcement Thursday.
The first Thursday of May is World Password Day. His note has been around for nine years and usually gives tips like changing your passwords. Meanwhile, the tech industry has been moving more toward a passwordless approach that’s resistant to phishing, based on recommendations from the FIDO Alliance industry group and the World Wide Web’s WebAuthn group.
Operating system platform makers Apple, Google and Microsoft on Thursday adopted a passwordless approach to FIDO in a joint announcement.
Microsoft offers without a password
Microsoft indicated its embrace of the FIDO passwordless standards and described developments in the product in its announcement Thursday. The passwordless improvements come to Microsoft’s desktop offerings as a service, Windows Hello for business, and the Microsoft Authenticator app, among others.
The announcement indicated that passwordless support for “Windows 365, Azure Virtual Desktop, and Virtual Desktop Infrastructure” is now available in preview for Windows 11 participants in the Windows Insider Test Program. Passwordless support is coming to Windows 10 as well at some point.
In addition, Microsoft is now previewing Windows Hello for Business Cloud Trust for use with Windows 11 version 21H2 and Windows 10 version 21H2 OS. Windows Hello for Business is Microsoft’s biometric authentication system that adds a second factor to user authentication, which is usually a face scan, or a PIN can be used.
Windows Hello for Business Cloud Trust is a deployment model that uses Azure Active Directory Kerberos instead of a Public Key Infrastructure (PKI). The Cloud Trust model is said to make Windows Hello business deployments “simpler”. It also avoids “synchronizing public keys between Azure AD and local domain controllers (DCs) for users to access on-premises resources and applications.” The Cloud Trust approach is seen as uptime optimization via PKI, as described in this Microsoft document.
Some Microsoft Authenticator news has been announced as well. Microsoft Authenticator is an app for Android and iOS mobile devices that allows single sign-on to apps. Microsoft Authenticator users can also forgo using passwords, if they wish. The app now gets the ability to support multiple accounts without a password. Here’s Microsoft’s explanation:
When we first introduced passwordless login for Azure AD (work or school accounts), Microsoft Authenticator could only support one passwordless account at a time. Now that limitation has been removed and you can have whatever you want. iOS users will start seeing this capability later this month and the feature will be available on Android after that.
Microsoft also described Microsoft Authenticator earlier this week as being able to generate complex passwords that users don’t need to remember, for those who stick with passwords.
Finally, the temporary access pass in Azure Active Directory, currently in preview, will arrive this summer. Under this scheme, IT professionals issue a limited time passcode to the user via the Azure portal. Organizations may want to use temporary access “when a user has lost or forgotten their strong authentication factor such as a FIDO2 security key or a Microsoft Authenticator application,” Microsoft explained, in this document.
Also new in the Temporary Access Pass is that it will be enabled to provision Windows devices out of the box, starting next month.
“You’ll be able to use your temporary access pass to sign in for the first time, configure Windows Hello, and join your Azure AD device,” the announcement explained. “This update will be available next month.”
FIDO multi-device credentials
There was also news Thursday from the FIDO alliance over Apple, Google and Microsoft behind the alliance’s “FIDO Multi-Device Credentials” effort.
The platform maker’s support for multi-device FIDO credentials will make it easier for consumers to dispense with passwords by using their smartphones as “roaming authenticators” across websites. This concept is adopted by Apple, Google and Microsoft, which entails ensuring the secure synchronization of FIDO keys between devices.
There is also Bluetooth support for the multi-device FIDO credentials approach. Bluetooth is required when FIDO key synchronization occurs between different operating systems.
Here’s how the FIDO Alliance describes the need for Bluetooth when synchronizing keys across devices using different operating systems, according to a white paper, “How FIDO Handles a Full Set of Use Cases”:
Synchronization of encryption keys for FIDO credentials between devices may not always be possible, for example if the user is using a new device from a different vendor, which does not sync with the user’s other existing devices. In such cases, the presence of the standard Bluetooth protocol mentioned above allows for a convenient and secure alternative: if the FIDO credentials are not readily available on the device the user is trying to authenticate from, the user likely has a device (eg, phone) nearby that has the data Accreditation. The user will then be able to use their existing devices to facilitate authentication from their new devices.
The white paper explained that while organizations have adopted a passwordless approach using biometric scans, PINs, cards or master keys for authentication, this is not an approach that is expected to work for consumer users. Consumers are still mostly stuck providing usernames and passwords at the moment, which are vulnerable to phishing attacks. However, the involvement of OS creators in a multi-device FIDO credential approach is expected to change this scenario, providing phishing resistance and greater security.
Kurt McKee is Senior News Producer for 1105 Media’s Converge360 Group.