Understanding Windows 10 and Microsoft 365 Passwordless Sign-In
Passwords are a pain and they are also a security risk. Microsoft has been trying to persuade IT, professionals and consumers, to do away with passwords in recent years. Social engineering techniques, like phishing and malware, make passwords vulnerable. Around 80 percent of successful attacks originate from compromised passwords.
Users also make passwords less secure by choosing passwords that are easy to guess and that can be hacked in dictionary attacks. Moreover, it’s common that people use the same password across multiple devices and services, increasing the damage if a password compromised. Multifactor authentication (MFA) helps protect passwords but it has a low adoption rate.
What is passwordless sign-in?
Microsoft’s answer to these security problems is passwordless authentication. With passwordless sign-in, passwords are replaced by something you have, like a security key, plus something you are or know. Something you are might be a biometric gesture like a fingerprint. Something you know might be a PIN.
If you read through Microsoft’s documentation on passwordless sign-in, it refers mainly to Azure Active Directory (Azure AD). Azure AD is the identity management platform used by Microsoft 365, Office 365, and of course Azure. To add to the complexity, Microsoft supports three different passwordless technologies in Azure AD and Windows 10:
- Windows Hello for Business
- Microsoft Authenticator app
- FIDO2 security keys
Designed for users that have a designated Windows 10 device, Windows Hello uses the PC itself as the ‘something you have’. Windows Hello can be used to sign in to Windows 10 and it also provides single sign-on (SSO) to services like Microsoft 365.
For devices that don’t have a built-in biometric device, like a fingerprint scanner, a PIN can be used. While PINs might not seem to offer an advantage over passwords, unlike passwords, Windows Hello PINs can only be used on the device where they are registered.
If you log in to Windows 10 using a Microsoft account and have Windows Hello set up, you can access Microsoft services, like Outlook.com, in supported browsers using Windows Hello.
You will be required to enter a PIN or use a biometric gesture to complete the sign-in.
Work or school accounts (Microsoft 365)
To use Windows Hello for Business with Microsoft 365, you must first sign in to Windows 10 using Windows Hello with your work or school account. To log in to Windows 10 from the lock screen using a work or school account, the device must be Azure AD joined. Once logged in, single sign-on works with Microsoft 365, so there’s no need to enter a password or confirm your identity again using a PIN or biometric gesture.
For more information on joining Windows 10 to an Azure Active Directory domain, see Join Windows 10 to Azure Active Directory During OOBE on Petri. It is also possible to join, or connect in Microsoft’s terminology, a Windows 10 device to Azure AD in the Settings app.
Microsoft Authenticator app
Users with accounts registered for MFA will likely be familiar with the Microsoft Authenticator app or similar solutions like Google Authenticator. But the Microsoft Authenticator app can also be used for passwordless authentication in Microsoft 365.
Unlike Windows Hello, the Microsoft Authenticator app is a good solution for passwordless sign-in where users share PCs. The app runs on iOS 8.0 or later, and Android 6.0 or later. Microsoft Authenticator app passwordless authentication isn’t enabled in Azure AD by default.
If Microsoft Authenticator app passwordless is setup, after entering a username to log in to Microsoft 365, the user gets a message displaying a number that they must tap in the Authenticator app on their mobile device. To complete sign-in, the user must click Approve and provide a PIN or biometric gesture.
Before evaluating the Microsoft Authenticator app as a passwordless sign-in solution, your Azure AD tenant must have Azure MFA with push notifications enabled as a verification method. Azure AD MFA requires a premium Azure AD subscription.
FIDO2 security keys
If users that share PCs don’t want to or can’t use their mobile phones with the Microsoft Authenticator app, security keys are a hardware alternative. Security keys usually come in the form of small USB devices and they provide stronger security than software passwordless solutions like the Microsoft Authenticator app. Keys from manufacturers such as Yubico and Feitian are FIDO2 compatible and work with Azure AD, so allow passwordless sign-in to Microsoft 365.
Some security keys also support NFC so that they can be used with mobile devices. And a few can be used with Windows Hello. But using a security key with Windows Hello usually requires extra software to be installed on the Windows 10 device.
To sign in to a service like Microsoft 365 using a security key, the key must be plugged into a USB port on the Windows 10 device. Alternatively, if the key supports NFC, an NFC reader can be used. There is usually a touchpad or sensor on the device that the user must tap to complete a passwordless sign-in. Some keys replace the sensor with a fingerprint reader to further improve security.
Before you can use a FIDO2 security key to sign in to Microsoft 365, FIDO2 security key sign-in must be enabled in Azure AD. FIDO2 Microsoft-compliant security keys are supported for passwordless login in the Windows 10 May 2019 Update and later. A supported browser is required, like Microsoft Edge. Users can register compatible security keys without any help from IT.
Support for hybrid Azure AD-joined devices
The Windows 10 May 2020 Update (version 2004) supports signing in using FIDO2 security keys to devices that are hybrid joined to Azure AD. Hybrid-joined devices are joined to a Windows Server Active Directory (AD) domain and registered, not joined, to Azure AD. Using security keys with AD requires making some changes to extend AD’s Kerberos realm to Azure Active Directory.
In the rest of this series, I will look at each of the three passwordless sign-in options in more detail, starting with Windows Hello.