The Microsoft identity team recently launched a series explaining why they love passwordless authentication (and why you should too!).The series kicked off with posts on FIDO and NIST compliance. Alex Weinert continues the series with this post speaking to biometric authentication.
My turn! Pam and Sue are tough acts to follow, but here goes! I love passwordless for so many reasons (I really dislike passwords) – but one of the top things I love about passwordless is that we can use biometrics to make authentication so much easier and more secure. Rather than having to memorize a password (you can’t) or security answers (quick! What was your 6th grade teacher’s best friend’s pet’s maiden name when you had your first crush?), you can use what’s always with you – you! Biometrics let you use your face, fingerprint, or even heartbeat on some devices.
Biometrics also provide terrific accessibility benefits, making it possible to sign in when typing in a password is not viable. It is really exciting to think about the technology in use by people or in situations where secure digital identity was previously out of reach. With biometrics, once a device is “bound”, almost any gesture can be used to authenticate. Think about the implications for folks who interact with technology in non-conventional ways, or whose job requirements make manual interactions impossible (e.g. a surgeon after scrubbing in) – with NFC and FIDO2, a tap of the token can sign you in securely.
There can be challenges with centrally managed biometrics, but properly implemented solutions like FIDO2, Windows Hello, and the Microsoft Authenticator use the biometrics as a way to access a locally stored cryptographic secret. The templates are used only to access cryptographic operations by the secure hardware (e.g. TPM). This hardware uses the template to protect operations such as by creating keypairs, releasing public keys, or signing messages with the private key. This approach is super secure, inherently multifactor and defeats many conventional attacks on MFA. And because you’re thinking it, most biometric systems are implemented with liveness detection to validate any biometrics presented, so just a picture wouldn’t work.
In a typical deployment of FIDO2 and Windows Hello, a person swipes their finger, says a phrase, or looks at a camera on their device to enroll that device for authentication. Behind the scenes, the biometric data is used as an initial factor to generate a cryptographic keypair (private and public) in the hardware on that device. The private key will be used by the hardware to sign subsequent authentication requests only when the same biometric template that was used to generate it is provided again.
Even if a hacker were to try to spoof my fingerprint (or face, or try to do my super-secret disco moves) with the goal of tricking the system into thinking it’s me, they’d have to steal the device where the keypair resides first. That alone is costly, time-consuming, and rare – and even then, they’d have access only from that device, and I could quickly revoke trust in that device.
So there you have it – I love passwordless because swiping my finger, tapping my watch or grinning goofily at my PC’s camera is easier, more secure and more FUN than remembering what the darn password I used on that service, this time was. (True confessions time – I scrambled my Microsoft account and work passwords over a year ago – I am a dyed in the wool, full-time, passwordless-only authentication addict!)
Stay tuned for more in the series! We’ll share how passwordless credentials can protect you from top attacks and we’ll dive into different types of credentials that use biometrics, NFC, and USB to verify explicitly.
Check out the other posts in this series:
Learn more about Microsoft identity:
Share product suggestions on the Azure Feedback Forum
Is there a future Win 10 roadmap item to allow M365 accounts to login to Windows 10 using the Authenticator app? Lots of customer ask on this feature.
Hello, since we have frontline workers on shared Azure AD joined computers we really love the FIDO2 security option for the users to log into those workstations passwordless, with their Azure AD user account. However government regulations require features that aren’t available in Azure AD yet for managing the user’s security key PINs.
– Minimum number of digits
– No repeating digits
– No sequential patterns
– Expiration with forced change
– Not be identical to 3 previous PINs
Any plans on giving Azure AD administrators more control over the PIN numbers used with security keys to stay in alignment with these regulatory mandates?
@ForumUser You will likely be interested in the new options coming to the FIDO2 standard:
@Chris_Clark_Netrix We are also seeing customers wanting to use Authenticator to log in to their Windows 10 computers. Why it this available for consumer Microsoft accounts and not for work or school accounts? i don’t get it.
Anyway, you could check out web login as an alternative. it kinda works the way you want, especially if you have phone sign-in active on your account. then the login experience work the same as on web pages. you get the web login prompt, enter your username and then get the number on the screen and a push notification on your phone. match the number and you’re in! A bit less elegant than an even more integrated login experience, but close enough! Use Intune or registry to enable web signin, and keep in mind that internet connection is required.
@Rajat Luthra Since this is available in OOBE, why in earth is it not a more integrated experience after OOBE is completed?
© Microsoft. This article was originally published by Microsoft Azure Active Directory Identity Blog. You can find the original article here.