World Password Day has come and gone for another year. This day of observance was invented several years ago by Intel Security and it’s now even recognized by Wikipedia. You may be thinking like Garfield and saying “Big fat hairy deal.” Well, it is a big deal — my whole life seems to revolve around passwords. As a result, I have problems trying to visualize a world without passwords, but maybe it’s coming sooner than I expect. At least my colleague Sasha Kranjac thinks so. Sasha is an Azure and security specialist, consultant, and cloud architect who helps companies and individuals embrace the cloud and be safe in cyberspace. As CEO and cloud security architect at Kloudatech, Sasha delivers Microsoft, EC-Council, and his own custom Azure and Security courses and PowerClass workshops, consulting and architecting cloud solutions internationally. He is also a Microsoft Most Valuable Professional (MVP), Microsoft Certified Trainer (MCT), MCT Regional Lead, and a Certified EC-Council Instructor (CEI). To learn more about Sasha, you can follow him on Twitter: @SasaKranjac. Let’s now hear what Sasha has to say about whether the death of the password has been greatly exaggerated and whether we are headed for a passwordless future.
Passwords: A thing of the past
Passwords have been with us for ages. In the early 1960s, at MIT, researchers started to explore possible ways to enable computer systems to tell the difference between users who were using the systems or to find a way to verify that the users were who they said they were — to authenticate users. In 1961, an MIT employee printed a list of passwords and distributed it to other users — it was the first known breach.
Since then, users and administrators have been struggling with passwords and trying to make systems more secure. We, both users and administrators, are not fans of passwords because they are not perfect.
Generally, passwords are not easy to use and difficult to remember — good and complex passwords are especially difficult to remember. On the other hand, easy-to-remember passwords are not so hard to guess. Add to password complexity a nontraditional keyboard, frequent password changes, passwords that are reused across multiple locations and devices, and you have a recipe for forgotten or stolen passwords, breached systems, or frequent password change calls to support personnel. Not only do calls cost a substantial amount of money, but everything related to a password loss or a breach incurs money loss as well.
Technically, password attacks are not too complex: The attackers have only a single factor of authentication to deal with. Username and password combination counts only as a single-factor authentication: username identifies the user trying to access a system, and a password is used as a single form of authentication.
As much as we, users and administrators, hate passwords and have problems with them, hackers and attackers love passwords because of all their faults and shortcomings.
Fortunately, passwords are becoming a thing of the past. Since passwords make our systems more vulnerable, forcing constant password changes and making passwords more complex does not help in raising the security of username and password combination. We needed better protection, and we added a second factor of authentication which made the username and password combination more secure — the multifactor authentication was born. Along with a password, we suddenly had to supply additional information to log in: time-bound one-time password or, in some cases, a pre-approved list of codes or phrases. Unfortunately, having multifactor authentication still is not enough to keep up with the increasingly high number of cybersecurity threats. More than 80 percent of hacking-related breaches use either stolen or weak passwords, according to a Verizon 2017 Data Breach Investigations Report.
But then, even if we use multifactor authentication, which is inherently more secure, we still use passwords, which is the insecure or inconvenient part of this story. What if we replace a password with a verification factor, preferably with two or more verification factors, and store them somewhere, for example, on a device, such as a computer, or on a physical key. That way, the credentials would never leave the device, and we would be protected from phishing, password loss, over-the-shoulder-snooping, or credential theft.
The benefits of using passwordless authentication are numerous: there are still passwords out there, in the background, but we do not need to remember, store, change and enter passwords anymore.
A four-step approach toward a passwordless world
At Ignite 2017, Microsoft shared its vision and four-step approach to a passwordless world, how to detach ourselves from passwords, and steps to achieve password freedom.
- Develop a password replacement offering. We need something to replace passwords, and that “something” preferably needs to be more secure than the current offering. Fast forward to 2021. We are witnessing improvements in this area, and a variety of products and possibilities to choose from. Having more choices is good, but I guess some options will become more prevalent in the future as private and business consumers figure out what works best for them.
- Reduce user-visible password surface area. This step requires a strategy to reduce using passwords to a minimum, or to reduce passwords’ “surface.” The ideal situation would be where users know their passwords, but they never need to use them, they are never prompted to use them or type them anywhere. This significantly reduces password leaks and phishing attempts unsuccessful.
- Transition into a passwordless deployment. This stage includes transitioning to a passwordless world where users:
- Never change their passwords.
- Never type their passwords.
- Do not know their passwords.
As an example, a user logs in to Windows 10 using Windows Hello for Business and uses a single sign-on to access Azure and Active Directory resources.
- Eliminate passwords from the identity directory. The final stage of a truly passwordless world is an environment where passwords merely do not exist.
Setting up Microsoft passwordless authentication
How to go passwordless with Microsoft? Here are some password replacement options you might consider: Windows Hello and Windows Hello for Business, Microsoft Authenticator App, or a FIDO2-compliant security key.
Windows Hello and Windows Hello for Business provide excellent user login experience — it supports biometric authentication using your fingerprint or face, along with a screen gesture or PIN to log in.
In Windows 10, visit Settings and Sign-In options to manage sign-in options for your device. There are a lot of options to choose from — from Windows Hello Face (you will need an IR-capable camera), Windows Hello Fingerprint (enabled if you have a compatible fingerprint reader), and Windows Hello PIN, to the possibility to set up sign-in with a physical security key.
In contrast to Windows Hello, Windows Hello for Business is configured via Group Policy or Mobile Device Management (MDM) policy and uses certificate-based or key-based authentication. In both cases, biometric or PIN information is unique to a device where it has been set up and never leaves the device. During the provisioning of Windows Hello, cryptographic key pair is bound to the Trusted Platform Module (TPM) chip if a device has one or in software. Using passwords is less secure as passwords are shared secrets between a user and a server and transmitted over the network, susceptible to interception.
Microsoft Authenticator App provides the greatest convenience, flexibility, and cost for experiencing passwordless authentication for both personal and business scenarios. It supports biometrics, push notifications, and time-bound one-time passcodes (TOTP or OTP codes). Not only this, it supports cloud backup and restore, importing passwords from Google Chrome and other apps, and can fill saved passwords on sites and apps. Additionally, passwords saved in Microsoft Edge will sync with Microsoft Authenticator App for a seamless mobile experience. It is free to download from the Apple Store and Android app stores, and you can use it with almost every account: Google, Amazon, GitHub, Twitter, Facebook, LinkedIn, Instagram, and gazillions of others.
In Azure Active Directory, setting up Microsoft Authenticator App as a sign-in method and a second factor of authentication is easy. It takes no more than two minutes, and it brings numerous benefits. Once set up, the sign-in experience removes entering a password, and you are required to open the Microsoft Authenticator app to approve the request to sign in by entering a code or confirming on screen.
Passwordless authentication offers additional benefits beyond being merely a second multifactor authentication method. It is more secure to sign in without having to enter a password.
You can use Microsoft Authenticator App as a passwordless sign-in option if it has been enabled in Azure Active Directory. Instead of entering a password, users get a push notification to verify the legitimacy of a sign-in event by matching a number and providing a PIN, fingerprint, or face scan to complete the authentication process.
Recently, two passwordless authentication options completed their preview stage and reached general availability — FIDO2 Security Key (Item 1 in the image below) and Microsoft Authenticator (Item 2). Two more options are still in a preview phase — Text Message and Temporary Access Pass (Item 3).
To enable Microsoft Authenticator App as a passwordless option, open Azure portal, go to Azure Active Directory, and chose Security. Click on a Microsoft Authenticator entry and Enable (Item 4) use for All Users or Selected Users. Optionally, configure Authentication mode (Item 5) and choose Passwordless, Push, or Any mode (Item 6).
FIDO2 Security Key is a second passwordless authentication method that brings several benefits. It offers improved usability, as using hardware-based security key is easy and fast, and strong account security, as it replaces passwords with strong hardware-based authentication using private/public-key cryptography. Moreover, a single security key can work across numerous accounts with no shared secrets.
FIDO2 stands for Fast IDentity Online and it is the passwordless evolution of FIDO U2F. FIDO2 consists of two components, a web API (WebAuthn) and a Client to Authenticator Protocol (CTAP), both responsible for a passwordless sign-in experience. The older FIDO U2F protocol was renamed CTAP1 in the WebAuthn specification, and it was used to work with external authenticators.
FIDO2 security keys usually use USB form factor but could also use NFC or Bluetooth (or BLE — Bluetooth Low Energy)
The process of setting up a FIDO2 Security Key (Item 1, below) as a passwordless option in Azure Active Directory is like setting up the Microsoft Authenticator App. Businesses will welcome a key restriction policy option to restrict specific keys (Item 2) to either Allow or Block usage of certain keys. The FIDO2 specification mandates that an Authenticator Attestation GUID (AAGUID) must be provided during attestation. An AAGUID is a 128-bit identifier indicating the type of the authenticator. Authenticators with the same capabilities and firmware can share the same AAGUID.
This is what the passwordless sign-in experience using a security key looks like:
On a sign-in screen, choose Sign in with a security key, insert a security key if you have not already done so, touch a security key, and that is it! Fast, simple, and what is most important — secure.
The journey is a long one, but the industry is moving in the right direction. I cannot wait to enjoy the passwordless future, where passwords no longer exist.
Featured image: Shutterstock