Why to go passwordless and how get there?

Password have always been a major headache for people. And always consultant have said that password complexity matters, there any a lot of pages providing to check how secure your password is.

What then if your password will be cracked in 25yrs, it don’t make any difference. People keep the password under keyboards, use the same passwords on all the sites the use frequently, that makes a difference.

When you realize that there has been a breach on what ever site you visit and go visit example https://haveibeenpwned.com

Put you email or phone and realize that you were compromised with your username and password that you use for convenience in all the services.

And when you get over it and your fingers stop shaking, you will to go all the services and change the password and maybe even username if possible.

So for this drama to end there is a lot of Passwordless solutions or even Mulfi-Factor Authentication options in various services Google, PlayStation Network, LinkedIn etc.

It’s an better protection than using nothing, but the usage isn’t really nice. You have to accept or write One Time Passcode to the services too often and sometimes they just brake and if you don’t have backup codes or correct disaster recovery email / phone set, you will locked out.

So as a Microsoft solutions architect I will be covering the Microsoft aspect of this dilemma, Microsoft has made several options available for Passwordless login and I want to highlight them in this blog.

So the solutions are FIDO2 and Microsoft Authenticator. Temporary pass is a also a nice feature for new users to sign-in and create their own pass, but this one will not be covered in this article.

So first on the list is FIDO2 (Fast IDentity Online) keys. with FIDO you can use an usb-dongle to register and then select a FIDO2 security key at the sign-in interface as their main means of authentication. These FIDO2 security keys are typically USB devices, but could also use Bluetooth or NFC. With a hardware device that handles the authentication, the security of an account is increased as there’s no password that could be exposed or guessed.

Microsoft has browser support web for FIDO usb-dongles https://docs.microsoft.com/en-us/azure/active-directory/authentication/fido2-compatibility

In Azure AD you can assign the keys to target groups, for all users or to selected users.

In the configure section

Allow self-service set up should remain set to Yes. If set to no, your users will not be able to register a FIDO key through the MySecurityInfo portal, even if enabled by Authentication Methods policy.

Enforce attestation setting to Yes requires the FIDO security key metadata to be published and verified with the FIDO Alliance Metadata Service, and also pass Microsoft’s additional set of validation testing.

Enforce key restrictions should be set to Yes only if your organization wants to only allow or disallow certain FIDO security keys, which are identified by their AAGuids. You can work with your security key provider to determine the AAGuids of their devices. If the key is already registered, AAGUID can also be found by viewing the authentication method details of the key per user.

Security key Authenticator Attestation GUID (AAGUID)

The FIDO2 specification requires each security key provider to provide an Authenticator Attestation GUID (AAGUID) during attestation. An AAGUID is a 128-bit identifier indicating the key type, such as the make and model.

The process with FIDO keys.

  1. The user plugs the FIDO2 security key into their computer.
  2. Windows detects the FIDO2 security key.
  3. Windows sends an authentication request.
  4. Azure AD sends back a nonce.
  5. The user completes their gesture to unlock the private key stored in the FIDO2 security key’s secure enclave.
  6. The FIDO2 security key signs the nonce with the private key.
  7. The primary refresh token (PRT) token request with signed nonce is sent to Azure AD.
  8. Azure AD verifies the signed nonce using the FIDO2 public key.
  9. Azure AD returns PRT to enable access to on-premises resources.

Sign in with passwordless credential

In the example below a user has already provisioned their FIDO2 security key. The user can choose to sign in on the web with their FIDO2 security key inside of a supported browser on Windows 10 version 1903 or higher.

Microsoft Authenticator

Note! First you have to enable combined security information registration https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-registration-mfa-sspr-combined

You can also allow your employee’s phone to become a passwordless authentication method. You may already be using the Microsoft Authenticator App as a convenient multi-factor authentication option in addition to a password. You can also use the Authenticator App as a passwordless option.

There is the same options as with FIDO keys, but there is the configuration available under the three famous dots.



And here you can choose the authentication modes.

And the user experience after enabling passwordless

The flow for the authentication

And the process

  1. The user enters their username.
  2. Azure AD detects that the user has a strong credential and starts the Strong Credential flow.
  3. A notification is sent to the app via Apple Push Notification Service (APNS) on iOS devices, or via Firebase Cloud Messaging (FCM) on Android devices.
  4. The user receives the push notification and opens the app.
  5. The app calls Azure AD and receives a proof-of-presence challenge and nonce.
  6. The user completes the challenge by entering their biometric or PIN to unlock private key.
  7. The nonce is signed with the private key and sent back to Azure AD.
  8. Azure AD performs public/private key validation and returns a token.

If you will choose passwordless logins to your services you dont have to be concerned about password inside those services that support it. If you integrate logins to apps thru Azure AD app registrations it will be a lot easier to use them and you would have a single pane to login and only one identity to login with.

Stay tuned and safe!

Author: Harri Jaakkonen

Leave a Reply

Your email address will not be published. Required fields are marked *