News

Microsoft Previews Azure Active Directory FIDO2 Sign-Ins Without Passwords

• By Kurt Mackie
• 07/10/2019

Microsoft on Wednesday announced the availability of a public preview of Azure Active Directory's FIDO2 support, which enables user authentications without passwords.

FIDO2, or FAST Identity Online 2.0, is a Web standard for user authentications without passwords that was developed by the FIDO Alliance industry coalition and the Worldwide Web Consortium. Microsoft already has a Windows Hello biometric authentication scheme in Windows 10. It recently received FIDO2 certification for use with the May 2019 Update (version 1903) of Windows 10.

Windows Hello, as well as its mobile device application cousin, Microsoft Authenticator, can be used to scan faces or fingerprints (or a PIN can be used), replacing the traditional password authentication approach.

Azure AD FIDO2 Preview
With the Azure AD FIDO2 public preview, organizations can test "passwordless access to all your Azure AD-connected apps and services," explained Alex Simons, corporate vice president of program management at the Microsoft Identity Division, in the announcement. An early preview involving hardware OATH tokens was announced late last year.

The new Azure AD FIDO2 public preview will work with "a FIDO2 security key," which is typically a physical object, such as a card, a USB thumb drive or a dongle. It'll also work with the Microsoft Authenticator app for Android or iOS mobile devices or it'll work with Microsoft's Windows Hello solution on Windows 10, the announcement indicated.

IT pros will see new tooling support within the Azure AD Admin Portal for setting up this passwordless authentication scheme. To use the preview, they'll need to "assign passwordless credentials using FIDO2 security keys." The preview will work with "the latest versions of Edge and Firefox browsers," the announcement added

Devices made by "hardware partners Feitian Technologies, HID Global and Yubico" have support for the Azure AD FIDO2 preview. Those three device makers are currently offering limited promotional discounts on their devices, which are described in this Microsoft Tech Community post. Microsoft requires that such devices be "Microsoft compatible" keys, as defined in this document.

This preview is a work in progress. Simons described it as a "first release." A future release will add "the ability to manage all our traditional authentication factors (Multi-Factor Authentication (MFA), OATH Tokens, phone number sign in, etc.)," he added. That's true on the Windows 10 client side, too.

"We're working with our Windows security engineering team to make FIDO2 authentication work for hybrid-joined devices," Simons explained.

Windows 10 version 1809 or later operating systems have FIDO2 support, according to Microsoft's "Password-Less Protection" whitepaper (see the table in the whitepaper, for instance).

The FIDO2 scheme employs a public key-private key structure in which the private key always stays on the device. It isn't sent out across the Internet. This arrangement purportedly defeats attack scenarios where a user's name and password are known by another party. Even a PIN is secure because it's tied to the device's hardware, so attackers knowing a PIN would still need to have possession of the client device to access an account, Microsoft's whitepaper explained.

Microsoft's Passwordless Vision
Microsoft, in addition to advocating a passwordless future, also has argued against making end users create complex passwords or have them periodically change them or set them to expire. These contrarian ideas to traditional IT practices were outlined last year in Microsoft's best practices guidance for passwords.

More guidance for IT pros on password management can be found in this document. Back in April, Microsoft had announced plans to drop some traditional password advice from its Windows security baseline document recommendations because it doesn't think they add much protection for organizations.

This week, Microsoft offered more of the same advice concerning passwords and explained that what organization really need is to require multifactor authentication for end users (a secondary identity verification process) and they need to have an identity verification solution in place that's tied to the hardware, such as enabled by FIDO2. These arguments are laid out in this Microsoft Tech Community post by Alex Weinert, a member of the Microsoft Identity Division security team.

Weinert's post is valuable for offering statistics on why traditional password management approaches can fail to attackers. It includes information on which attack methods are most used (such as credential stuffing, phishing and keystroke logging) as well as the difficulty in carrying out such attacks. The analysis is based on Azure AD "telemetry" information collected by Microsoft.

Longer passwords offer better protection against brute-force attacks, Weinert indicated. His overall message, though, was to take a simpler approach and use multifactor authentication.

"Your password doesn't matter, but MFA does! Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA," Weinert concluded.