Passwords aren't working: over 80 percent of security breaches are down to stolen passwords and credentials. Users routinely pick passwords that are too simple and easy to guess, and if you force people to use complex passwords they store them and reuse them. That's exacerbated by forcing regular password changes, and both NIST and the National Cyber Security Centre advice against regular password changes without evidence of breach. If password reset systems rely on people, they can be fooled by social engineering too. Password managers are a stop-gap.
A better solution is to move away from passwords altogether with biometrics, one-time codes, hardware tokens and other multi-factor authentication options that exchange tokens and certificates without users needing to remember anything.
Passwordless doesn't mean more things for users to remember and more hoops for them to jump through. Certificates can be combined with contextual security policies that require fewer factors for low-value access on trusted devices and connections. More factors can be added as the risk rises — whether that's based on the value of the content, the behaviour of the user, their location and connection, or the state of the device. You can already set that up using Azure AD Conditional Access and MFA, but comprehensive support for a full set of passwordless options is only just starting to arrive.
FIDO2 (Fast Identity Online) is the cross-platform way the industry is achieving this, but it's taking time to get the standards worked out and delivered, and Windows and Azure AD support is also coming in stages.
The first steps rely on the Microsoft Authenticator app, which uses key-based authentication to create a user credential that's tied to a device and uses a PIN or biometric (so it's a software equivalent of Windows Hello). Instead of using a password to sign in, users see the number code to enter into the Authenticator app, where they have to enter their PIN or provide a biometric.
Passwordless sign-in for Microsoft accounts with the Microsoft Authenticator app is already available, and support for signing into Azure AD is now in public preview. You need to be using Azure MFA and admins have to enable it for the tenant by adding the AuthenticatorAppSignInPolicy using PowerShell. There will be a way to do that in the portal once the service is out of preview.
Currently, the Authenticator app can only cover a single account registered with Azure AD in one tenant, but support for multiple accounts is planned in future.
SEE: Windows 10: The essential guide for business professionals (Tech Pro Research)
That passwordless Azure AD sign-in doesn't just cover Office 365 and Azure; it works with any service that supports federation. That means the hundreds of thousands of cloud apps (from Twitter to Salesforce) and many on-premises apps that work with Azure AD for single sign-on can all now be passwordless.
You can add already-enabled apps to your tenant using the Azure AD application gallery. If the app you want isn't listed, use the application integration templates to configure single sign-on for apps that support SAML 2.0, SCIM user provisioning or HTML forms sign-in. From the Azure portal choose Active Directory > Enterprise Applications > New Application > Non-gallery application, and fill out the details in the pane at the side, starting with the name. You can also add applications that have single sign-on through federation services like Azure ADFS and they'll show up in the Office 365 app launcher.
To add single sign-on support to your own applications, developers can use the Azure Active Directory Authentication Library (ADAL), Microsoft Authentication Library (MSAL) or various open-source libraries that support OAuth 2.0 and OpenID Connect 1.0, and then register it through the same portal.
FIDO2 and Azure AD
Again, this comes first for Microsoft accounts, with the general availability of FIDO2 passwordless support for Microsoft accounts in Windows 10 this week. That means you'll be able to sign in to Windows 10 and then into sites like Office 365 in the browser (Edge, Chrome or Firefox) using a FIDO2 key instead of a password, the way you can with Windows Hello and biometrics, with the security key hardware bound to the TPM on the PC. As more websites use the W3C FIDO authentication standards, you'll get passwordless sign in to them too.
"We always do the Microsoft account versions first, both to experiment and learn rapidly, and also because they don't require the extensive admin controls the Azure AD versions do," Alex Simons, corporate vice president in Microsoft's identity division, explained to TechRepublic.
The next step will be FIDO2 passwordless support for Azure AD accounts in Windows 10, for the Windows account and Office 365, and all the federated cloud and on-premises services that get single sign-on through Azure AD. That's been in private preview since summer 2018; organizations will be able to use it in public preview in the first quarter of 2019.
SEE: Working in IT: Why we love it, why we hate it (free PDF) (TechRepublic)
Many FIDO hardware tokens can also create time-based one-time passcodes (TOTP) using the OATH standard. That's particularly useful for users who won't be able to (or just don't want to) receive a phone call or a text message.
You can now use hardware OATH tokens as an option for Azure AD MFA and self-service password resets, as long as you have a premium (P1 or P2) Azure AD licence — and the password reset now supports Windows 7, 8 and 8.1 with password reset from the login screen.
Hardware OATH support doesn't replace existing options to authenticate. Users can have up to five hardware and software options, each including the Microsoft Authenticator app (and the preview includes other authentication apps like Authy which support OATH), text message and voice calls. If you use a YubiKey, which doesn't have a battery and can't track time, you'll need the Yubico Authenticator app as well. The OATH support is in preview, so expect the interface for managing it to change (and move out of the MFA Server section of the Azure interface, which otherwise is for setting up on-premise Azure MFA support).
Don't expect FIDO U2F support though; Microsoft thinks that going passwordless is a better option than just having yet another second factor supported.
RECENT AND RELATED COVERAGE
- Will Microsoft finally kill the password with its Authenticator upgrade?
- How to prevent problems with remote desktop authentication after recent updates to Windows servers
- How to reset your Windows 10 password when you forget it
- How to go beyond passwords in Windows 10
- Windows 10 after three years: A greatly improved report card (ZDNet)
- Office 365 admins: How to mitigate new attack that bypasses 2FA on Windows systems
Mary Branscombe is a freelance tech journalist. Mary has been a technology writer for nearly two decades, covering everything from early versions of Windows and Office to the first smartphones, the arrival of the web and most things inbetween.