In this Ask the Admin, I’ll explain how Microsoft Passport will implement key-based authentication to make two-factor authentication easy without a Public Key Infrastructure (PKI), and where Virtual Secure Mode (VSM) fits in to protect against common attacks.
Previously dubbed Next Generation User Credentials, Microsoft Passport will debut in Windows 10, and in conjunction with a new security feature called Virtual Secure Mode, which protects credentials from Pass-the-Hash (PtH) attacks – a technique used by hackers to move laterally across networks by means of stolen credentials – aims to replace passwords by making two-factor authentication simpler to deploy.
Most of us are familiar with the concept of authenticating to a system using a combination of what we know and what we have, usually in the form of a smartcard, and PIN or password. But traditionally smartcards have been the preserve of large corporates, not least because of the extra hardware required, but also the need to maintain a PKI, which can be complex to say the least.
Microsoft Passport differs from currently available forms of two-factor authentication by utilizing a unique asymmetrical key pair that Windows 10 can generate itself, and store securely with the help of a hardware Trusted Platform Module (TPM). While there will be the option to use keys generated by a PKI, Passport’s key-based authentication option will significantly lower the barrier to adoption, and could prove to be more secure than PKI.
A passport’s public key can be stored in Azure Active Directory (AAD), and as such is supported for users with a Microsoft account, or in Windows Server 2016 Active Directory. Active Directory in existing versions of Windows Server will be updated this summer to support Microsoft Passport, but it’s not clear yet which domain and forest functional levels will be required. If you opt to use PKI, instead of the key-based authentication option, Active Directory won’t need to be modified to support Microsoft Passport.
Passport relies on a TPM to provide a properly secured solution, which Microsoft hopes will be part of every Windows PC sold in 2015, but devices without a hardware TPM will still be able to use Passport, although it won’t be as secure. Nevertheless, it’s likely to be a better option than using a password alone.
New in Windows 10, Virtual Secure Mode provides a secure execution environment where processes that were previously run in Windows, such as the Local Security Authority (LSA) and the code integrity service, are moved to Trustlets (processes) in an OS running in a separate hardware-based Hyper-V container, to which Windows has no access. There’s no GUI, and no network access to the container, and even if the Windows kernel is compromised, processes and data stored in the VSM container should remain safe.
Tokens and hashes (derived security credentials) are not released from the VSM, but are instead handed over to Windows in a new form that can’t be replayed on the PC. Additionally, NTLM hashes are decoupled from the logon secret, and randomized and managed to protect against brute force attack.
Microsoft Passport will allow you to use another device as a smartcard, such as a smartphone, which is an extension of the virtual smartcard feature already found in Windows 8. But Windows 10 will also include Windows Hello, a new feature which for the first time includes the middleware required to make fingerprint readers, iris scanners, and facial recognition hardware work without the need to install anything more than the driver for the device.
In the past, if for example you wanted to use a webcam for facial recognition, third-party software, usually provided by the hardware manufacturer, had to be installed to get the solution working. Not only did this require extra effort and management for enterprises, but also trust. Windows Hello bakes all the required software into the OS, and provides an integrated user experience for quick and natural logon without a password.
Microsoft Passport has been designed using FIDO (Fast IDentity Online) Alliance standards to easily integrate with other platforms and services. It’s also worth noting, that users will be able to have more than one passport, which can be used to sign into different services.
At the time of writing, Microsoft Passport is not supported in the current build of Windows 10, but as soon as the system goes live, check back at the Petri IT Knowledgebase for a technical how-to, so you can evaluate the solution quickly.