News

Microsoft Outlines Passwordless Options for Organizations

• By Kurt Mackie
• 10/19/2021

The case for a passwordless future was made by Microsoft luminaries in a 1.5-hour Oct. 13 online presentation.

People are prompted to change their passwords and make them complex, but it's just a negative prod that isn't working. Most people just end up using the same password, noted Vasu Jakkal, corporate vice president for security, compliance and identity at Microsoft.

"If you're like 62 percent of the population, you use the same passwords again and again," Jakkal noted during the "Your Passwordless Future Starts Now" talk. "And making them more complex, makes them harder to remember."  

About 579 password attacks are conducted every second around the world, Jakkal added. Microsoft expects that 99.9 percent of these attacks could be blocked by using multifactor authentication (a secondary identity verification process) but "only 18 percent of our customers are actively using that feature," Jakkal said.

The talk currently is available on demand (with sign-up) here.

Microsoft's Passwordless Options
Going the passwordless route is considered to be a step up from using multifactor authentication for security. Microsoft has four passwordless options, noted Alex Simons, corporate vice president for identity and network access program management at Microsoft, during the talk:

• Windows Hello, a biometric authentication solution for Windows PCs.
• The Microsoft authenticator app for use on mobile devices or Mac or Linux desktops.
• Fast Identity Online 2 (FIDO2) physical security keys (from vendors like HID and Yubico), which let IT pros "prove who they are on any machine."
• Temporary Access Passes, a one-time code given to an employee that "gives them a way to bootstrap into their first password." It's an Azure Active Directory solution.

Microsoft's passwordless solutions stem from its work with the FIDO Alliance, an industry coalition, but open standards have been ratified by the Worldwide Web Consortium (W3C), according to Simons:

We worked very hard in the FIDO2 board to make sure that we have great open standards in this space, and those are now ready and have been ratified by the W3C. The key standards are the WebAuthn standard and the CTAP [Client to Authenticator Protocol] standard. ... [And] this is a big deal for us making sure that you can use them across any device and any service. It's not just for your Microsoft estate.

Currently, more than 200 million users are using passwordless authentications with Azure Active Directory and Microsoft accounts, Simons said.

FIDO2 is just the name for two specifications built by different standards groups, clarified Pamela Dingle, partner director for identity standards at Microsoft.

"FIDO2 itself is not a standard," Dingle said. "It's rather an umbrella name for two very important specifications that were created in two different standards groups in order to get the community going in each of those standards areas."

A JavaScript API is called by a browser with the FIDO2 approach to ask for user credentials, rather than having a Website display a form to get those credentials.

"The browser is responsible for accurately determining the origin of the request, really meaning the domain or subdomain over which the request is coming in," Dingle explained. The browser doesn't get confused, like humans, when a domain has a zero in it, rather than an "o" in the URL domain name, so it resists URL spoofing methods that are used to trick users.

The FIDO2 process uses a public-private key approach. A "gesture" or intention to verify is used to unlock the public key cryptography, Dingle explained. Gesture examples include a swipe, fingerprint or facial recognition:

Each authenticator must contain some kind of secure storage for private asymmetric keys. The user gesture unlocks that private key, which in turn signs a credential that is unique to the requesting website, and has a lot of additional security features like timestamps, nonces and incremental counters and various other amazing things like that.

Passwordless Is More Secure
The notion that going passwordless is more secure than using basic authentication (user name plus password) and even multifactor authentication (secondary ID verification) was argued by Alex Weinert, director of identity security at Microsoft. He mostly argued by analogy, using the classic tale, "The Three Little Pigs."

The use of plain passwords is analogous to the little pig who built a house of straw, which is easily blown down by the Big Bad Wolf. The use of multifactor authentication is analogous to the pig who built a house of sticks. The house of sticks is better, but it's still subject attacks like SIM jacking and OTP (over the phone) phishing. Microsoft's passwordless protections are akin to the house made of bricks, with Windows Hello and FIDO2 verifier and personalization resistance protections.

GitHub Embraces Passwordless
The talk included a discussion on how the GitHub developer repository, owned by Microsoft, scans for "secrets" in code to prevent insecure code uploads.

GitHub has also embraced multifactor authentication and protections against known compromised passwords, as well as passwordless methods. It also implemented device tracking to warn when log-ons occur from unrecognized devices.

Passwords also were removed from the GitHub developer workflow.

"We recently announced that we no longer accept account passwords when authenticating Git operations on the platform or API operations," said Mike Hanley, chief security officer at GitHub. "We're moving to personal access tokens or SSH keys for authenticated Git operations on GitHub."

Developers can use USB devices or smart cards in various form factors from vendors like HID and Yubico to log on.

GitHub also was an early adopter of the WebAuthn standard for software development.

"We're really proud that GitHub has been an early adopter of things like WebAuthn that, in our view, very meaningfully contributes to a more secure software supply chain and ecosystem by taking passwords out of the equation for developers," Hanley said.

Passwordless at Microsoft
The talk included a chat between Mark Russinovich, Azure chief technology officer and Technical Fellow at Microsoft, and Bret Arsenault, corporate vice president and chief information security officer at Microsoft.

They described Microsoft's earlier authentication approaches, from two-factor authentication to the use of virtual smart cards, compared with the current FIDO2-based passwordless experience. Russinovich revealed that he no longer uses passwords to access Microsoft accounts and doesn't even know what his password is.

Microsoft favors multifactor authentication use, but it's had to tweak it to get it used by organizations, even though it's offered for free.

"When we had MFA as an opt-in on AAD for Microsoft users, we saw only about 20 percent adoption. But when we make it opt out, we've seen over 90 percent keep it on," Arsenault noted.

In general, Microsoft considers going passwordless to be part of its overall "zero trust" strategy.

"Going passwordless makes zero trust real, but it adds three clear benefits," Jakkal said. "It makes signing into applications and services faster. You gain a higher degree of trust and security for apps, devices and service providers. And it dramatically reduces IT support team costs."