Coming soon to an Azure AD/Microsoft 365 subscription near you: Life without passwords?!

Back to Blog
26Nov2018

Coming soon to an Azure AD/Microsoft 365 subscription near you: Life without passwords?!

I previously commented when Microsoft released new password guidance, which is backed by their own research as well as that of NIST. A quick recap of that:

  • Require passwords have at least 8 characters. Longer isn’t necessarily better, as they cause users to choose predictable passwords, save passwords in files, or write them down.
  • Disable character-composition requirements, as they cause users to choose predictable character substitutions in passwords.
  • Disable expiration rules, which drive users to easily guessed passwords such as Winter2018!
  • Prevent users from choosing commonly attacked passwords
  • Educate users not to re-use their work password elsewhere
  • Enforce registration for multi-factor authentication
  • Enforce risk-based MFA challenges

Pretty interesting advice all around, since it flies in the face of what we’ve been preaching and doing for years. As a supplemental note here, Microsoft has also published an article on how you can take specific steps to better secure your identity infrastructure, which follows the advice above as well as the Identity Secure Score assessment card. The Secure Score system, for those who don’t know, is an automated assessment that encourages you to enable better security controls within your Microsoft 365 / Azure AD tenant (and of course, to purchase more security add-on subscriptions).

But much of this advice could be flipped upside down with the ability to implement a password-less sign-in to Azure AD.

Microsoft also recently announced that for Microsoft accounts (not Work or School accounts in Azure AD, but “consumer” Microsoft accounts), we now have the ability to replace our passwords with Windows Hello, or with a FIDO2-compatible security key. In either case, the password prompt is never really required, and you get two-factor authentication in one single step.

With Hello, for instance, you can unlock a device using a local PIN or biometric, or some other local gesture. That secret never leaves the device, but passing that step verifies that the person in possession of the device is legit. The authentication to Microsoft’s servers in the cloud is then handled by the device itself using a public/private key pair–so when you unlock a device with your local gesture, the device signs on your behalf using the private key (which is stored on the hardware-based TPM, or in a software-based TPM).

Technically speaking Microsoft has been marketing this technology as “two-in-one-factor” (local gesture or biometric + private key stored on the hardware). But yubico, who partnered with giants Google and Microsoft in the development of FIDO2 standards, still calls this implementation–password-less–a single-factor. The debate here starts to get into some strange philosophical distinctions, but either way this form of authentication is considered much stronger than traditional passwords.

Password-less sign-in For Azure AD

We don’t have this same FIDO2-based capability yet with Azure AD accounts, but we are promised it is coming soon. However, you can already enable a “no passwords” experience for your users, and it all happens via the Microsoft Authenticator app. It works like this:

  1. Enable your tenant for the feature using PowerShell;
  2. Enable MFA for your users;
  3. Make them register for MFA using the Microsoft Authenticator app (pairing the mobile phone app with their account);
  4. When they sign-in to an Azure AD, instead of a password prompt, they are prompted to open the Authenticator app, and match the number that is displayed.

Example of a browser sign-in asking for user to approve the sign-in attempt in their Microsoft Authenticator app

This mechanism is only in preview, and again, it does require using the Microsoft Authenticator app (latest version on iOS 8+ or Android 6+); but it is nevertheless another possible avenue for eliminating passwords. The FIDO2 thing is a pretty big deal, too, since it embraces a standards-based set of devices and protocols, in addition to what has been offered in the past. I get a surprising number of requests, especially from financial services companies, for hardware-based* MFA (rather than using the app or an SMS text). So I look forward to seeing that implemented also for Azure AD (sometime in Spring 2019, they say in their announcement).

Reflections

To be clear, I have not implemented this yet. I am curious to see how it plays with various apps. I gather from reading that it may not work everywhere yet, and that there are other caveats to it. I notice also in the screenshot above that the password is still a fall-back option, meaning that you may still need to rely on it under certain circumstances (unless there is a way to enforce the no-password experience only?).

From where we stand today and looking forward, it would seem that this no-password thing sort of removes the need for “password guidance.” For instance, if you were to enforce a FIDO2-type of experience (remove the option to use a password in general), what good is a risk-based MFA challenge now? If a rogue actor tries to sign-in from China or some other foreign place, they are already going to be presented with this password-less experience–the “weak” or compromised password does not matter in this case. And why would a user ever need to self-service reset their own password at this point?

I have had this debate with others in the past, especially in regards to Conditional access and MFA–why wouldn’t you just require MFA in all cases, versus so-called “high risk” cases only? The answer usually comes down to user experience–avoiding that second step in situations that are deemed “less risky” just makes life easier–plus, you will notice, it helps to sell Azure AD Premium subscriptions!  But a “no-password” setup like this one, using Hello or some FIDO2 device, might settle this argument once and for all–go password-less, and collapse two authentication mechanisms into one  End of debate. Thoughts?

*Note: I have noticed that some of these hardware devices simply require you to tap a button on a USB stick inserted in the computer–I cannot imagine this is as safe as Windows Hello, where the private key is protected by a gesture that you either know (PIN) or are (biometric). After all, if anyone can pick up your USB key and then use it to login as you just by tapping a button–no bueno. I would personally go with Hello, or another hardware key that has some biometric such as a fingerprint scanner or facial recognition built-in.

Opinion, Technical , , , , 3 Comments
Share:

Comments (3)

  • Julius Mensing Reply

    Hi Alex,

    I wonder what the latest on this is.
    Is the app still required or something else that will allow a password-less sign-in for MS 365 Business?

    The question to me is also if a user doesn´t have a company phone I would not want people to be volunteering to install an app on their private phones.

    And with the app, what will happen if you forgot your phone at home or if it is not working anymore? Would be good to have a backup option there.

    Thanks for sharing your thoughts…

    August 14, 2019 at 3:28 pm
    • Alex Reply

      Hi Julius, actually the authenticator app is great for BYOD. Keep in mind that there is no company data stored in Authenticator. It just provides a secondary factor of auth, and disabling the account or revoking its MFA methods would render this app worthless if user was ever terminated or left the company. When you register MFA methods you can register two methods, so for instance an email address or a phone number could be your fallback. Otherwise, yes there is support for hardware token now, e.g. YubiKey: https://www.yubico.com/passwordless/

      August 14, 2019 at 4:25 pm
  • Jeff Brixhamite Reply

    As of July Microsoft have been offering FIDO2 based hardware key solutions, and they have also been testing using TOTP based hardware keys so it isn’t only authentication using an app.

    November 29, 2019 at 8:09 am

Leave a Reply

Back to Blog

Related Posts

21Sep

Tutorial: How to Setup a Site-to-Site VPN between an Azure Virtual Network and WatchGuard Firewall, part 1

Using a Site-to-Site VPN tunnel into an Azure Virtual Network is the most common way for small businesses to begin extending the capabilities of their local network, and leveraging additional compute power and availability features in the cloud. There are many reasons one might need to... read more
22Oct

Understanding Email authentication (SPF, DKIM and DMARC) in Office 365 Exchange Online

For a long time now, we administrators have had the ability to provide email authentication for our customers using SPF, DKIM and DMARC. However, an embarrassingly low percentage of us actually take advantage of these tools. That means it is fairly trivial business for a... read more
10Aug

Vulnerability Assessments vs. Pen Testing: Walk before you run

Sales people are some of my favorite people in the world. They make me laugh out loud almost every day.  The company I work for offers a few different flavors of network & security assessments for small to mid-sized businesses, but we do not offer... read more
17Nov

How OneDrive changed the way I work

My Documents, on steroids I kind of think about OneDrive like the My Documents folder of yore. Back in the olden days, "My Docs"--as it was affectionately referred--would be redirected to a company file server and backed up there by your administrator. But it meant you had... read more
17Mar

How to Enable Information Rights Management for SharePoint Online & OneDrive for Business

This is a four-part post on Azure Rights Management for Office 365. The Azure RMS service is a powerful tool that we can use to prevent data leakage and share information securely with users inside & outside of the organization. Follow along as we explore how to: Activate Azure Rights... read more
16May

How-to Upgrade DirSync to Azure AD Connect (and move to a new server at the same time)

Many a small business using Exchange Online, Office 365 or other Microsoft cloud services has opted to enable Directory Synchronization--this means you can have the same credentials on-premises and in the cloud. Most commonly, this synchronization was achieved with a tool called DirSync. And wouldn't you know... read more
24Jun

A framework for implementing Device configuration profiles with Microsoft Intune

Last time we looked at the proper methodology for rolling out Device-based Conditional access in conjunction with Compliance policies. In that article, we observed that the workflow is very linear and logical, flowing from one step to the next, and ending in Conditional access, like... read more
27Apr

Differences between Shared Mailboxes, Distribution Lists and Office 365 Groups

Before we begin our article today, I just want to say this: if you guys and gals aren't aware of the CIAOPS community yet, then you should definitely check it out. It's a great place to hang out, with lots of smart people both asking... read more
20Jun

Conditional access for the SMB, a how-to guide

**This resource was updated 09/01/2019** Unfortunately it is not yet possible to import CA policies from JSON, the way we can for Intune compliance policies or device profiles. Nevertheless, now that Conditional access is available to all Microsoft 365 Business customers, you will want a good... read more
16Nov

How to deal with Dynamic Distribution Groups in an Office 365 Hybrid Scenario

Dynamic Distribution Groups are not directly "migratable" to Office 365. (Yes, I just made that word up, but now it is a real word--that's how words are made). In a hybrid scenario, where you have Azure AD Connect synchronizing your Active Directory objects for single-sign... read more

Helping IT Consultants Succeed in the Microsoft Cloud

Have a Question? Contact me today.

Contact Me