News

FIDO2, Windows 10's Password Replacement, Now Ready

• By Kurt Mackie
• November 27, 2018

It's now possible to use devices based on the Fast IDentity Online 2.0 (FIDO2) protocol with a Microsoft account and Windows 10 version 1809 to verify user access, Microsoft announced on Monday.

Essentially, this capability obviates the need for a password. It works with desktop and mobile devices, permitting access to applications such as Microsoft Office, Outlook and Skype. However, a Microsoft document stated that "this functionality is not available yet on phones."

Organizations can use a FIDO2-based device or they can use Windows Hello, Microsoft's biometric identity solution, with a Microsoft account. The FIDO2 devices supported might be a USB thumb drive with a fingerprint reader, or some other kind of security key.

The ability to work with a Microsoft account is only available in the U.S. market right now. However, it'll be available worldwide "over the next few weeks," Microsoft's announcement promised.

The FIDO2 capability requires using the Windows 10 October 2018 Update (version 1809), as well as the Microsoft Edge browser. Despite its rerelease earlier this month, Windows 10 version 1809 may still be blocked for some users because of new problems found with Intel display drivers, and a few other problems, as listed in Microsoft's Windows 10 Update History page.

To use the capability, Microsoft's announcement suggested that organizations will need to buy a security key that supports the FIDO2 standard. The criteria are outlined in this document.

Microsoft is using the WebAuthn and FIDO2 CTAP2 specifications, which require that both a private and public key get added to a device. Organizations will need to have a Trusted Platform Module on the device to store these keys. The Trusted Platform Module can be implemented via hardware or software.

Microsoft is claiming that it's among "the first in the world to deploy FIDO2" in its products, according to this blog post, which described the standard. It added that Windows 10 version 1809 has support for the "latest WebAuthn Candidate release," which is "a stable release not expected to normatively change before the specification is finally ratified."

On top of the Microsoft account support for FIDO2 in Windows 10 version 1809, it'll be possible to get FIDO2 support using Azure Active Directory work or school accounts in the near future.

"We are currently building the same sign-in experience from a browser with security keys for work and school accounts in Azure Active Directory," Microsoft's announcement explained. "Enterprise customers will be able to preview this early next year, where they will be able to allow their employees to set up their own security keys for their account to sign in to Windows 10 and the cloud."