Recently Microsoft announced the accessibility of preview of Azure AD FIDO2 support, which allows user authentications without passwords.
FIDO2, or FAST Identity Online 2.0, is a Web standard for user authentications without passwords that were developed by the FIDO Alliance industry coalition and the Worldwide Web Consortium. Microsoft currently has a Windows Hello biometric authentication plan in Windows 10. It just recently received FIDO2 certification for usage with the May 2019 Update (variation 1903) of Windows 10.
Azure AD FIDO2 Preview
With the Azure Active Directory (AD) FIDO2 public preview, companies can check “passwordless access to all your Azure AD-connected apps and services,” stated Alex Simons, corporate vice president of program management at the Microsoft Identity Division, in the announcement.
IT pros will see new tooling support within the Azure AD Admin Portal for establishing this passwordless authentication method. To utilize the preview, they’ll need to “assign passwordless credentials utilizing FIDO2 security keys.” The preview will work with “the latest versions of Edge and Firefox internet browsers,” the statement included.
Devices made by “hardware partners Feitian Technologies, HID Global and Yubico” have to support for the Azure AD FIDO2 preview. Those three device makers are presently using promotional discount rates on their devices, as described in this Microsoft Tech Community post. Microsoft requires that such devices be “Microsoft compatible” keys, as defined in this document.
Azure AD FIDO2 is still in progress. Simons described it as a “first release.” A future release will add “the ability to manage all our traditional authentication factors (Multi-Factor Authentication (MFA), OATH Tokens, phone number sign in, and so on),” he added. That’s true on the Windows 10 client side, too.
“We’re dealing with our Windows security engineering group to make FIDO2 authentication work for hybrid-joined devices,” Simons described.
Windows 10 version 1809 or later operating systems have FIDO2 assistance, according to Microsoft’s “Password-Less Protection” whitepaper.
The FIDO2 employs a public key-private essential structure in which the private key always remains on the device. It means it’s not on the internet. This plan purportedly beats attack circumstances where another party understands a user’s name and password. Even a PIN is safe because it’s tied to the device’s hardware, so attackers guessing a PIN would still need to have ownership of the client device to access an account, Microsoft’s whitepaper explained.
Microsoft, in addition to advancing a passwordless future, also has argued against making end users create complicated passwords or have them changed periodically. In Microsoft’s best practices guidance for passwords outlined these contrarian concepts to standard IT practices in 2015.
Back in April, Microsoft had revealed plans to drop some standard password recommendations from its Windows security baseline document suggestions because it doesn’t think they include much protection for companies.
Recently, Microsoft offered more of the same suggestions regarding passwords and discussed that what organization require is to need multifactor authentication for end users (a secondary identity verification procedure), and they need to have an identity verification service in a location that’s connected to the hardware, such as enabled by FIDO2. These arguments are laid out in this Microsoft Tech Community post by Alex Weinert, a member of the Microsoft Identity Division security team.
Longer passwords use much better defense against brute-force attacks, Weinert suggested. His overall message, however, was to take a more straightforward method and use multifactor authentication.
“Your password does not matter, but MFA does! Based on our studies, your account is more than 99.9% less most likely to be compromised if you utilize MFA,” Weinert concluded.