In my previous blog post, I highlighted the problem with Identity protection especially in our nowadays cloud and mobile environment. Protecting the identity is the main and first priority for security professionals. Dependence on passwords alone will not help. Moving to MFA is crucial because sometimes its the only protection available for your identity. In this post I am going to explain the new passwordless cloud authentication and how to enable Microsoft Azure Active directory passwordless option.

 

Why Passwordless Cloud Authentication?

According to Verizon data breach report more than 80% of breaches involves credential theft. This again emphasize the importance of our identity protection and using techniques as MFA. However this comes with a cost which is inconvenience to users. Recent surveys done by Microsoft shows that although MFA provides a high security option its still Inconvenient for users for two reasons. First, users still need to remember their organization complex long passwords. Secondly, having another device as their mobile for the second authentication factor.  

 

Passworless Cloud Authentication Convenience vs Security

https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-passwordless

 

The main risk of using passwords all over the place is the reusability. According to Telesign consumer account security report more than 70% of passwords are duplicates. Humans tend to forget and its easy to memorize one complex password and use it everywhere. Now we understand what is the problem. If one is down all passwords and their corresponding systems are down.

Passwordless cloud authentication can help solving this issue. First, its secure by nature and secondly its simple in use as no user will need to remember his password. Also MFA can be applied by using a PIN with your passwordless device.  I am implementing it using Azure AD. Azure Active directory passwordless implementation is in preview now and Microsoft made it available even for the free Azure AD subscription.

 

Microsoft Azure Active Directory Passwordless options?

Microsoft is offering three different alternatives when it comes to passwordless cloud authentication.

Windows Hello For Business

This option supports Cloud, Hybrid or On-premise AD deployments. It requires the user having his own designated and registered device in AD. It is based on something you have as the device/computer designated for the user plus something you are as your Biometrics. The latest Windows 10 devices from Microsoft as Surface Laptop or Surface pro comes with a camera supporintg Windows Hello. This is how MFA is impleemted without using a password.

But how is this helping with password issue. Traditionally with password authentication, whatever you type during login is also stored on the Azure AD or On-premise Active Directory (Symmetric approach – Password). If hacker got your password he can use it anywhere and if you are re-using it he can even access other services.

On the other side, passwordless use Asymmetric approach (Public/Private keys). The public key sits in your Azure Active directory while the private key is on your device/Laptop TPM. Its a secure chip on your device that stores encryption keys. When you use your biometrics (something you are) as the facial recognition or finger print, you are unlocking the TPM to get the key and sign it. Finally the AD/Directory service will send you authentication token for the session. This happens without sharing anything with your Active directory. This also provides another benefit which is seamless authentication for any other service after your login.

 

Microsoft Authenticator Application

Most of us are aware of the Microsoft authenticator app that can be installed on IOS and Android devices. Its mainly used as second factor authentication in your MFA policy to get codes for different accounts. Its not only for Microsoft but rather for any MFA supported account (google, amazon…..etc.). That’s mainly because its supports the industry time standard one time password (OTP).

However the Authenticator app supports passwordless cloud authentication and is integrated with Azure Active directory passwordless policy. This is implemented by matching a number appearing on your login screen with the same number on your authenticator app.

 

Azure Active directory Passwordless Microsoft Authenticator

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-phone

 

FIDO2 Security devices/Keys

FIDO stands for Fast Identity online. FIDO2 is the latest open standard supporting passwordless Cloud authentication, avaialble in both mobile and desktop environments. FIDO2 specification is based on two main components:

  1. Web Authentication: Its a new web standard supported by Windows 10 and most of the latest browsers as Edge, Chrome and Safari. Basically, it allows online/cloud services to use the FIDO authentication using common web API built in different Web Platforms.
  2. Client to Authentication Protocol (CTAP): This protocol enables the FIDO security keys and USB devices to work with browsers supporting the Web Authentication standard.

 

In the next section, I am going to enable Azure Active Directory Passwordless authentication using FIDO2 Security key. I am using Yubico 5 NFC key.

 

YubiKey Passwordless Cloud authentication

https://www.yubico.com/product/yubikey-5-nfc/

 

Enabling Azure Active Directory Passwordless FIDO2 Authentication

Microsoft implementation of the passwordless cloud authentication is still in preview. The Web Authentication discussed earlier requires Windows 10 1809 or higher (1903 version is preferred) and a supported browser. For Windows 1809 it requires installing some additional software. While the 1903 version requires not additional software.

Setting FIDO2 Authentication Key

The first step is going to the Azure Portal. Check Azure Active directory and Security settings.

 

Azure Active Directory passwordless Security

 

Next is the authentication methods. As mentioned its in previwe and you get the option for FIDO2 Security key and Authenticator App. For the sake of this article we are intrested in the passwordless cloud authentication using FIDO2 Security key.

 

Azure Active directory passwordless authentication methods

 

In order to enable the FIDO2 security key you have to make few choices and settings.

FIDO2 Setup settings

  • Enable: Enable the FIDO2 passwordless option
  • Target: Do you need to enable it for all your users or during testing/preview you would like to target one user or maybe one group. In this case I am targetting my account only. Please note the registration is optional. This means the user need to do the registration of the device and it cannot be changed. So Admins cannot set everything for the users (maybe changed in future) and then give them the keys. For now users need to do the setup.
  • Allow Self Service Setup: Need to choose “Yes” for the user to register and setup the key.
  • Enforce Attestation: These security keys has certificates. Enforcing attestation means allowing checking these certificates to confirm its legitimate Yubikey device.
  • Enforce Key restrictions: I am turning it off since I am testing the solution but you can enforce restrictions as using only this key (Yubico) for example and no other vendor.

 

Azure Active directory Passwordless FIDO2 options

 

Next you need to click save. Finally one last setting is shown on the top which is enabling the new registration enhanced features (In preview) for all users or selected users. The other setting regarding My Apps is not related to Passwordless Cloud Authentication and thats why its not enabled. Make sure to Save all settings.

 

Passwordless Cloud Authentication Enahnced features

Enabling Passwordless Cloud authentication features for all users.

 

Configuring User Profile for Passwordless Cloud Authentication

After configuring the FIDO2 security key settings on your tenant, we need to update the user profile. I am checking the user profile and Security Info.

 

Azure Active Directory profile

 

Next step, I am adding a new Authentication method. Please note that without enabling the enhanced features in the previous step you will not get this option.

 

Adding new passwordless Cloud authentication method

 

Next I will add my new Security key to the avaialble authentication methods of my account. I am using NFC key which means it can work with my NFC reader if any, otherwise I am sticking it in the USB.

 

Adding Passwordless Security key method

 

Adding Passwordless NFC device

 

After that you are asked to plugin your key, touch the Yubico circle on the key (check above image of the key used) for Authentication (Passwordless Cloud authentication). All you need for login is to touch the key. If its single sign-on factor then nothing else is needed

 

Setup new FIDO2 Key

 

Since I am enabling MFA for my accounts then second authentication factor is needed which is the PIN.

 

Passwordless Cloud Authnetication PIN second factor MFA

 

Finally to complete the registration, you need to touch it once for signing. Setup is completed and all you have to do is to name your Security key.

 

Passwordless Cloud Authentication using touch

Give your new FIDO2 Key a name

 

Conclusion

Passwordless cloud authentication looks very promising because it maintain a high security protection for your identity with enhanced user experience. The main problem with security was always the user handling and processing. Security is enhanced because there is nothing to phish, share or re-use. So most of the spear phishing, social engineering, brute force attcaks and others fail with this method. On the other side the user experice is enahnced by logging securely without remembering the long complex passwords. The security of the passwordless cloud authentication relies on verifying the identity of the user without a password.

 

Microsoft Azure Active directory Passwordless is available in preview even for the free Active directory option (don’t need to have the paid ones). I am highly recommending you to give it a try. If you don’t have a security FIDO2 key then you can easily go with the Authenticator option on your mobile phone.

 

Hopefully this has been informative.