Windows Server to Add FIDO2 Security Key Support for Password-Less Sign-In
The latest Insider preview of Windows Server, build 18945, was released on July 30th and it includes FIDO2 security key support for password-less logons in hybrid Azure Active Directory (AAD) and Windows Server Active Directory (AD) deployments.
In July, Microsoft expanded password-less sign-in for Azure Active Directory (AAD) to include FIDO2 security keys. Password-less sign-in for AAD has been available in public preview since fall 2018, allowing users to sign in with the Microsoft Authenticator app. But organizations can now start testing password-less sign-in using the same authentication factors supported by Microsoft Accounts (MSA), i.e. Windows Hello, FIDO2-based security keys, and the Microsoft Authenticator app.
Currently, FIDO2 support is limited to cloud-only environments. FIDO security keys can’t be used in hybrid AAD/Windows Server Active Directory (AD) deployments. But Microsoft is planning to add support and it will go mainstream in the next full version of Windows Server. Or for those that need it sooner, the next official SAC release. Microsoft’s Windows Blog reads:
We’re adding the capability for modern passwordless credentials, such as FIDO2 security keys, to authenticate and provide seamless Single Sign-On (SSO) to on-premises environments. Addition of this new capability will extend this feature to hybrid environments.
Say Goodbye to Traditional PC Lifecycle Management
Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.
At the moment there is no information about how this feature works or whether organizations will need to do anything to configure it to support on-premise environments in hybrid cloud deployments. Furthermore, the blog suggests that Windows Server will get support for password-less logons in general when part of a hybrid cloud deployment, not just FIDO2 security key sign-in.
A Compelling Reason to Upgrade to Windows Server vNext?
Windows Server 2019 doesn’t offer small businesses much over its predecessor. And for medium and large organizations, most of the new features are cloud-oriented; with a few exceptions, like System Insights, cross-domain cluster migration, and the Storage Migration Service. But this development could provide a compelling reason to upgrade to the next version of Windows Server if the password-less revolution Microsoft is trying to kickstart takes off.
Another Step to a Password-Less Future
Passwords are inherently weak for many reasons. Multifactor authentication (MFA), where users must provide not only their password but an additional factor like a biometric gesture, is significantly more secure than passwords alone. But MFA can be expensive and difficult to implement. It also requires users to have an authenticator app or security key in addition to a password. For those reasons, MFA is only commonly found in large corporations that have the resources to manage it.
Microsoft believes that the solution lies in password-less sign-in. Windows Hello achieved FIDO2 certification in the Windows 10 May 2019 Update, offering a password-less solution that complies with an internationally accepted standard. And while passwords are not going to disappear overnight, I expect that eventually, password-less sign-in will become the norm because something must be done to improve security as the threat landscape becomes increasingly hostile and breaches hit the headlines on an almost daily basis.
For more information on password-less sign-in for Azure Active Directory, see Enabling Password-Less Sign-In for Azure Active Directory on Petri.