In my previous blog post, I highlighted the problem with Identity protection especially in our nowadays cloud and mobile environment. Protecting the identity is the main and first priority for security professionals. Dependence on passwords alone will not help. Moving to MFA is crucial because sometimes its the only protection available for your identity. In this post I am going to explain the new passwordless cloud authentication and how to enable Microsoft Azure Active directory passwordless option.
Why Passwordless Cloud Authentication?
According to Verizon data breach report more than 80% of breaches involves credential theft. This again emphasize the importance of our identity protection and using techniques as MFA. However this comes with a cost which is inconvenience to users. Recent surveys done by Microsoft shows that although MFA provides a high security option its still Inconvenient for users for two reasons. First, users still need to remember their organization complex long passwords. Secondly, having another device as their mobile for the second authentication factor.
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-passwordless
The main risk of using passwords all over the place is the reusability. According to Telesign consumer account security report more than 70% of passwords are duplicates. Humans tend to forget and its easy to memorize one complex password and use it everywhere. Now we understand what is the problem. If one is down all passwords and their corresponding systems are down.
Passwordless cloud authentication can help solving this issue. First, its secure by nature and secondly its simple in use as no user will need to remember his password. Also MFA can be applied by using a PIN with your passwordless device. I am implementing it using Azure AD. Azure Active directory passwordless implementation is in preview now and Microsoft made it available even for the free Azure AD subscription.
Microsoft Azure Active Directory Passwordless options?
Microsoft is offering three different alternatives when it comes to passwordless cloud authentication.
Windows Hello For Business
This option supports Cloud, Hybrid or On-premise AD deployments. It requires the user having his own designated and registered device in AD. It is based on something you have as the device/computer designated for the user plus something you are as your Biometrics. The latest Windows 10 devices from Microsoft as Surface Laptop or Surface pro comes with a camera supporintg Windows Hello. This is how MFA is impleemted without using a password.
But how is this helping with password issue. Traditionally with password authentication, whatever you type during login is also stored on the Azure AD or On-premise Active Directory (Symmetric approach – Password). If hacker got your password he can use it anywhere and if you are re-using it he can even access other services.
On the other side, passwordless use Asymmetric approach (Public/Private keys). The public key sits in your Azure Active directory while the private key is on your device/Laptop TPM. Its a secure chip on your device that stores encryption keys. When you use your biometrics (something you are) as the facial recognition or finger print, you are unlocking the TPM to get the key and sign it. Finally the AD/Directory service will send you authentication token for the session. This happens without sharing anything with your Active directory. This also provides another benefit which is seamless authentication for any other service after your login.
Microsoft Authenticator Application
Most of us are aware of the Microsoft authenticator app that can be installed on IOS and Android devices. Its mainly used as second factor authentication in your MFA policy to get codes for different accounts. Its not only for Microsoft but rather for any MFA supported account (google, amazon…..etc.). That’s mainly because its supports the industry time standard one time password (OTP).
However the Authenticator app supports passwordless cloud authentication and is integrated with Azure Active directory passwordless policy. This is implemented by matching a number appearing on your login screen with the same number on your authenticator app.
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-phone
FIDO2 Security devices/Keys
FIDO stands for Fast Identity online. FIDO2 is the latest open standard supporting passwordless Cloud authentication, avaialble in both mobile and desktop environments. FIDO2 specification is based on two main components:
- Web Authentication: Its a new web standard supported by Windows 10 and most of the latest browsers as Edge, Chrome and Safari. Basically, it allows online/cloud services to use the FIDO authentication using common web API built in different Web Platforms.
- Client to Authentication Protocol (CTAP): This protocol enables the FIDO security keys and USB devices to work with browsers supporting the Web Authentication standard.
In the next section, I am going to enable Azure Active Directory Passwordless authentication using FIDO2 Security key. I am using Yubico 5 NFC key.
https://www.yubico.com/product/yubikey-5-nfc/
Enabling Azure Active Directory Passwordless FIDO2 Authentication
Microsoft implementation of the passwordless cloud authentication is still in preview. The Web Authentication discussed earlier requires Windows 10 1809 or higher (1903 version is preferred) and a supported browser. For Windows 1809 it requires installing some additional software. While the 1903 version requires not additional software.
Setting FIDO2 Authentication Key
The first step is going to the Azure Portal. Check Azure Active directory and Security settings.
Next is the authentication methods. As mentioned its in previwe and you get the option for FIDO2 Security key and Authenticator App. For the sake of this article we are intrested in the passwordless cloud authentication using FIDO2 Security key.
In order to enable the FIDO2 security key you have to make few choices and settings.
FIDO2 Setup settings
- Enable: Enable the FIDO2 passwordless option
- Target: Do you need to enable it for all your users or during testing/preview you would like to target one user or maybe one group. In this case I am targetting my account only. Please note the registration is optional. This means the user need to do the registration of the device and it cannot be changed. So Admins cannot set everything for the users (maybe changed in future) and then give them the keys. For now users need to do the setup.
- Allow Self Service Setup: Need to choose “Yes” for the user to register and setup the key.
- Enforce Attestation: These security keys has certificates. Enforcing attestation means allowing checking these certificates to confirm its legitimate Yubikey device.
- Enforce Key restrictions: I am turning it off since I am testing the solution but you can enforce restrictions as using only this key (Yubico) for example and no other vendor.
Next you need to click save. Finally one last setting is shown on the top which is enabling the new registration enhanced features (In preview) for all users or selected users. The other setting regarding My Apps is not related to Passwordless Cloud Authentication and thats why its not enabled. Make sure to Save all settings.
Configuring User Profile for Passwordless Cloud Authentication
After configuring the FIDO2 security key settings on your tenant, we need to update the user profile. I am checking the user profile and Security Info.
Next step, I am adding a new Authentication method. Please note that without enabling the enhanced features in the previous step you will not get this option.
Next I will add my new Security key to the avaialble authentication methods of my account. I am using NFC key which means it can work with my NFC reader if any, otherwise I am sticking it in the USB.
After that you are asked to plugin your key, touch the Yubico circle on the key (check above image of the key used) for Authentication (Passwordless Cloud authentication). All you need for login is to touch the key. If its single sign-on factor then nothing else is needed
Since I am enabling MFA for my accounts then second authentication factor is needed which is the PIN.
Finally to complete the registration, you need to touch it once for signing. Setup is completed and all you have to do is to name your Security key.
Conclusion
Passwordless cloud authentication looks very promising because it maintain a high security protection for your identity with enhanced user experience. The main problem with security was always the user handling and processing. Security is enhanced because there is nothing to phish, share or re-use. So most of the spear phishing, social engineering, brute force attcaks and others fail with this method. On the other side the user experice is enahnced by logging securely without remembering the long complex passwords. The security of the passwordless cloud authentication relies on verifying the identity of the user without a password.
Microsoft Azure Active directory Passwordless is available in preview even for the free Active directory option (don’t need to have the paid ones). I am highly recommending you to give it a try. If you don’t have a security FIDO2 key then you can easily go with the Authenticator option on your mobile phone.
Hopefully this has been informative.
