Passwords. We all need them, we all forget them. But is a day coming when we can forget them forever?
For years, passwords have been the cyber security requirement.
Everyone needs them and they must be secure, strong and change every 30 days, or they need to be secure and long and never change, depending on who you talk to.
It seems like the rules for passwords change every month, but ultimately, whichever belief you subscribe to, passwords are vulnerable and thereby hotly sought after by attackers.
It’s no surprise then that we’ve seen an increased movement toward passwordless authentication, particularly from Microsoft.
Passwords have been used as a method of gaining access to data since the early 1960s. They really came to the forefront in 1974 when they were added to Unix based systems to identify specific users.
In the 45 years since then passwords have become:
The only thing that is consistent is that the password has got longer (and longer, and longer).
As passwords have become longer and the time between password changes shrinks, users will always use passwords that are easier to remember.
All of this is old news of course, we have known the issues with passwords for years. The NCSC and NIST now recommend that a password policy should:
Mobile phones have moved away from using a password (i.e. PIN) for access. Apple introduced TouchID with the iPhone 5S back in 2013 and some PCs have had fingerprint readers for even longer.
One of the problems with this is that the authentication is actually performed against the device rather than against an authentication service. This means that the password-less authentication is not consistent. If a user gets a new device, they have to re-register their identity against the device using their ID and password (sometimes with a second factor of authentication).
But lately, we’ve seen a number of changes come together that could enable a passwordless experience.
Different forms of authentication have been in place for many years. Smart-cards, certificates, biometrics etc. but they all have their own shortcomings. With a smart-card or biometrics, for example, the device that is handling the authentication must be equipped with the right type of reader.
More recently, Microsoft have brought out Windows Hello, which allows a user to authenticate to a device using their face. Other manufacturers also have a similar facial recognition for their devices or use fingerprints to prove identity.
Ideally, we need a method that can work across an environment without requiring any additional hardware on each device. We should always ensure that there is a Trusted Platform Module (TPM).
In some ways, the Microsoft Authenticator app can be used to prove identity without a user needing a password. Within a browser, as a user signs in to a web service, they are asked for their ID and are then prompted to select a matching number from the authenticator app.
Once this test has been passed the user is allowed into the service.
However, this is still not an ideal solution.
View 'Safeguard your data and applications with conditional access controls and multi-factor authentication' and discover:
You may have seen that there has been a lot of noise lately around something called FIDO2.
FIDO2 is the overarching term for a new set of specifications. It enables users to leverage common devices to easily authenticate to online services in both mobile and desktop environments.
These specifications are the World Wide Web Consortium’s (W3C) Web Authentication (WebAuthn) specification and FIDO Alliance’s corresponding Client-to-Authenticator Protocol (CTAP).
This means that a user who has a FIDO2 compliant authentication can access web services without needing to re-authenticate.
On the 10 July 2019, Microsoft announced the support of FIDO2 for authentication to Azure AD (public preview). This includes authentication to Windows 10 through the use of Windows Hello for Business.
When configured on a Windows 10 workstation the option to use a FIDO2 key is visible on the login screen.
Once the workstation has been configured ready for use the user can then configure their specific key directly.
The configuration is done through the security information page in the user’s profile.
There are two basic types of FIDO2 key. One uses a PIN for identification while the other uses biometrics.
A user can now authenticate to Windows 10 (minimum version of 1809) directly using the FIDO2 key, and from there access any services directly through Windows 10.
With this in place, a passwordless future is no longer that far away. The use of Windows Hello for Business to support different authentication types, including the removal of the password requirement, will allow for that future to arrive much sooner.
Watch this short video to see a demonstration of a FIDO2 login.
There are, however, some current limitations within the preview:
Even with these limitations, the use of FIDO2 to provide authentication is something that should be looked at.
We all want a world where users can authenticate safely and easily.
If we can remove the password while keeping the security at its current level (or pushing it higher) then this is something that we should be adopting as soon as possible.
Next, watch our multi-factor authentication and conditional access webinar on-demand to see what other technologies you should be taking advantage of to prevent compromised credentials.
Simply request a free Vision Call. We can help you with solution ideas, technology education, best practice advice and more.Request Vision Call
Eight-time winner of the Microsoft Partner of the Year Award for Identity Management, Enterprise Mobility, and Security and Compliance.
You are seeing this because you are using a browser that is not supported. The ThirdSpace website is built using modern technology and standards. We recommend upgrading your browser with one of the following to properly view our website:Windows
Please note that this is not an exhaustive list of browsers. We also do not intend to recommend a particular manufacturer's browser over another's; only to suggest upgrading to a browser version that is compliant with current standards to give you the best and most secure browsing experience.