Nobody likes passwords. They are inconvenient, insecure, and expensive. In fact, we dislike them so much that we’ve been busy at work trying to create a world without them – a world without passwords.
In this blog, we will provide a brief insight into how we at Microsoft think about solving this problem, along with details on solutions that you can try out today.
Passwordless
When we think about creating a world without passwords, we want to deliver on two key promises:
- User promise: End-users should never have to deal with passwords in their day-to-day lives.
- Security promise: User credentials cannot be cracked, breached, or phished.
At its core, our fundamental philosophy is simple: devalue the password, and replace it with something that eradicates its use for the end user and drains its value for an attacker.
Passwords have been a big part of our digital lives. To fully get rid of them, not only do we need to address all that is bad with them, we also need to acknowledge all that is good; they are familiar, portable, and can be used almost everywhere.
Figure 1. Passwords – Pros vs cons
So how are we going about it? Well, we break this up into discrete buckets:
Figure 2: Passwordless strategy
- Develop password-replacement offerings, i.e., replace passwords with a new set of alternatives that address the shortcomings of passwords while embracing their positive attributes.
- Reduce user visible password-surface area, i.e., upgrade all experiences related to the entire life-cycle of a user’s identity (including provisioning of an account, setting up a brand-new device, using the account/device to access apps and websites, recovery, etc.) and ensure these work with password-replacements (#1).
- Simulate a passwordless world, i.e., enable end users and IT admins to simulate and transition into a passwordless world with confidence.
- Eliminate passwords from the identity directory, i.e., the final frontier – delete passwords from the identity directory.
Here’s a quick overview of some of the solutions that you can try out today and how they map to the strategy above.
Password-replacement offerings
Windows Hello
Here’s a video that provides a quick overview of Windows Hello, how it is more secure than passwords, and some of newest enhancements.
Windows Hello is being used by over 47 million users worldwide. More than 5,000 businesses have deployed Windows Hello for Business, with adoption on over one million commercial devices.
For more details, refer to www.aka.ms/whfb.
Windows Hello is an excellent replacement for passwords on personal PCs. That said, we acknowledge that there are many scenarios that involve shared PCs used by transient users and that provisioning Windows Hello is not ideal. To that end, we are working hard on lighting up a series of portable credentials that are more suitable for such shared PC scenarios.
Microsoft Authenticator app
The Microsoft Authenticator app enables users to authenticate to their Microsoft account using their mobile phone. It is built on similar secure technology that Windows Hello uses, and packages it into a simple app on your mobile device.
To download the app and learn more, go to Microsoft Authenticator.
Windows Hello and our mobile Authenticator app are both great alternatives to passwords. But to create a world without passwords, we need an interoperable solution that works across all industry platforms and browsers.
Windows Hello and FIDO2 security keys
Microsoft has been aligned with the Fast Identity Online (FIDO) working group from the start. The alliance represents 250 organizations from various industries on a joint mission to replace passwords with an easy-to-use strong credential. With the recent ratification of FIDO2 security keys by the FIDO working group, we’re updating Windows Hello to enable secure authentication for many new scenarios.
What’s new in the Windows 10 April 2018 Update?
Among many new and exciting features in the Windows 10 April 2018 Update, we set out with the goal to deliver an end-to-end product experience that’s passwordless ready. With Windows 10 in S mode, we are enabling our cloud users (Microsoft Account or Azure Active Directory) to be able to go through the entire life-cycle of using their Windows 10 PC with S mode enabled without ever having to enter their passwords. That’s right. Here’s how you can try it out.
Windows 10 in S mode – Passwordless!
- Set up your Authenticator App
- Install the Microsoft Authenticator app on your mobile device.
- Set it up with your Microsoft Account and/or Azure Active Directory (Azure AD) account
Note: Upgrade your default way of authenticating from using password to the Microsoft Authenticator app by clicking the “Use the Microsoft Authenticator app instead” on the login page.
Figure 3: Select Microsoft Authenticator as default sign-in option
- Set up your Windows 10 PC with S mode enabled
- Install the Windows 10 April 2018 Update with S mode enabled
- Proceed through OOBE and set up your account
- Use the Microsoft Authenticator app to sign-in to your account. No passwords required!
Note: If you are prompted for a password on this screen, click the “Use the Microsoft Authenticator app instead” link.
Figure 4: Windows 10 S OOBE with Microsoft Authenticator app
- Set up Windows Hello
Figure 5: Windows Hello provisioning
- That’s it! Your Windows10 in S mode PC is passwordless! Just use your device like you normally do.
- Access/SSO to your apps and websites will continue to work. No passwords required!
Figure 6: Access apps and websites seamlessly
-
- You will notice that you’ll be required to use Windows Hello (PIN, Face, Fingerprint) for sign-in/unlocking your PC. No passwords!
Figure 7: No passwords under Sign in options for Windows
-
- The password credential provider will no longer enumerate for Windows scenarios.
To review, you will be able to set up a brand-new device, provision Windows Hello, log in, lock/unlock, use your favorite apps and websites without ever having to enter a password!
But wait, there’s more!
Security Keys for Windows Hello (Private preview for Azure AD-joined shared PCs)
FIDO2 Security keys allow you to carry your credential with you and safely authenticate to an Azure AD-joined Windows 10 shared PC that’s part of your organization. A user can walk up to any device belonging to the organization and authenticate in a secure way – no need to enter a username and password or set-up Windows Hello beforehand.
See how it works in this video:
The Windows Hello FIDO2 Security Key feature is now in limited preview. Please let us know if you would like to be added to the waitlist.
While we still have a way to go before we can claim victory, with the incredible lineup of products and features in our portfolio along with those in the works, we are confident that we will get there soon. Please send us your comments, questions, and feedback at pwdlessQA@microsoft.com.
Yogesh Mehta
Principal Group Program Manager, Enterprise & Security