Microsoft Bolsters New Passwordless Options for Windows Users
- By Kurt Mackie
- May 06, 2022
Microsoft on Thursday celebrated World Password Day with a list of new capabilities aimed to ditch passwords completely.
The first Thursday of May has been deemed World Password Day. Its observation has been around for nine years, typically offering advice such as changing your passwords. Meanwhile the tech industry has been moving more toward a phishing-resistant passwordless approach, based on recommendations from the FIDO Alliance industry group and World Wide Web's WebAuthn group.
Operating system platform makers Apple, Google and Microsoft on Thursday all embraced the FIDO passwordless approach in a joint announcement.
Microsoft's Passwordless Progress
Microsoft signaled its embrace of the FIDO passwordless standards and described product advancements in its Thursday announcement. Passwordless improvements are coming to Microsoft's desktop-as-a-service offerings, Windows Hello for Business and Microsoft Authenticator app, among others.
Passwordless support for "Windows 365, Azure Virtual Desktop and Virtual Desktop Infrastructure" is now available at the preview stage for Windows 11 participants in the Windows Insider testing program, the announcement noted. Passwordless support will be coming to Windows 10, too, at some point.
Additionally, Microsoft is now previewing Windows Hello for Business Cloud Trust for use with the Windows 11 version 21H2 and Windows 10 version 21H2 OSes. Windows Hello for Business is Microsoft's biometric authentication scheme that adds a second factor for user authentications, which is typically a face scan, or a PIN can be used.
Windows Hello for Business Cloud Trust is a deployment model that uses Azure Active Directory Kerberos instead of public key infrastructure (PKI). The Cloud Trust model is said to make deployments of Windows Hello for Business "simpler." It also avoids the "syncing of public keys between Azure AD and on-premises domain controllers (DCs) for users to access on-premises resources and applications." The Cloud Trust approach is seen as a time-to-use enhancement over PKI, as described in this Microsoft document.
There was some Microsoft Authenticator news announced, too. Microsoft Authenticator is an application for Android and iOS mobile devices that enables single sign-on to applications. Microsoft Authenticator users can also dispense with using passwords, if wanted. The app is now getting the ability to support multiple passwordless accounts. Here's Microsoft's explanation:
When we first introduced passwordless sign-in for Azure AD (work or school accounts), Microsoft Authenticator could only support one passwordless account at a time. Now that limitation has been removed and you can have as many as you want. iOS users will start to see this capability later this month and the feature will be available on Android afterwards.
Microsoft also described Microsoft Authenticator earlier this week as being capable of generating complex passwords that users don't need to recall, for those who stick with passwords.
Lastly, Temporary Access Pass in Azure Active Directory, currently at the preview stage, will be arriving this summer. Under this scheme, IT pros issue a limited-time passcode to a user via the Azure Portal. Organizations may want to use a Temporary Access Pass "when a user has lost or forgotten their strong authentication factor like a FIDO2 security key or Microsoft Authenticator app," Microsoft explained, in this document.
What's also new with Temporary Access Pass is that it'll be enabled for out-of-the-box Windows device provisioning, starting next month.
"You'll be able to use a Temporary Access Pass to sign in for the first time, to configure Windows Hello, and to join a device to Azure AD," the announcement explained. "This update will be available next month."
Multidevice FIDO Credentials
There was also news on Thursday from the FIDO Alliance on Apple, Google and Microsoft getting behind the Alliance's "multidevice FIDO credentials" effort.
OS platform maker support for multidevice FIDO credentials will make it easier for consumers to dispense with passwords by using their smartphones as "roaming authenticators" across Web sites. Apple, Google and Microsoft are all embracing the concept, which entails assuring the secure synchronizing of FIDO keys between devices.
There's also a Bluetooth support for the multidevice FIDO credentials approach. Bluetooth is needed when the FIDO key synching occurs between different OS platforms.
Here's how the FIDO Alliance characterized the need for Bluetooth when synchronizing keys across devices that use different OS platforms, per its white paper, "How FIDO Addresses a Full Range of Use Cases":
Syncing FIDO credentials' cryptographic keys between devices may not always be possible, for example if the user is using a new device from a different vendor, which doesn't sync with the user's other existing devices. In such cases, the existence of the above-mentioned standardized Bluetooth protocol enables a convenient and secure alternative: if the FIDO credential isn't readily available on the device from which the user is trying to authenticate, the user will likely have a device (e.g., phone) nearby that does have the credential. The user will then be able to use their existing device to facilitate authentication from their new device.
The white paper explained that while organizations have adopted the passwordless approach using biometric scans, PINs, cards or key fobs for authentications, that's not an approach that's expected to succeed with consumer users. Consumers are still mostly stuck with providing user names and passwords right now, which is subject to exposure via phishing attacks. The involvement of OS builders with the multidevice FIDO credentials approach, though, is expected to change that scenario, offering phishing resistance and greater security.