A friend of mine recently took to social media to complain about his bank website’s newly-implemented two-factor authentication system. And I have to agree – having to enter your account credentials plus receive a phone call or text and enter a 6-digit code on my device is just not a great user experience. But as an IT Pro, I understand the necessity of multi-factor authentication given the relative ease with which a bad actor can compromise your account credentials. Techniques like password spray, phishing, and man-in-the-middle (MiTM) attacks have helped to create a cottage industry for bad actors. And it’s no wonder that hackers are so successful when you realize how many users – including those of us who should know better – are guilty of using predictable passwords or the same account credentials across multiple online sites and services. And consider this: password management recommendations once thought to be “best practice” aren’t really all that great! A study conducted by Microsoft in 2016 found that enforcing password requirements such as frequent expiration, long character length, and character complexity actually result in passwords that are, oddly enough, more predictable.
So, it shouldn’t come as a surprise when businesses ask you to provide another form of verification in addition to your password. Especially when you consider that implementing multi-factor authentication mitigates the risk of your identity being compromised almost entirely. But wouldn’t it be nice if you could authenticate and verify your identity using a highly secure method that is also convenient?
The future is here
Remember those movies where the good (or bad) guy could access a room or workstation using a retinal scan or fingerprint? Well, the future is here!
Microsoft has been on a mission to replace and eliminate passwords with a new type of authentication method that is both secure and convenient. Windows Hello for Business and the Microsoft Authenticator app are two solutions based on highly secure public/private key encryption technology which leverage biometrics and PINs instead of passwords.
And as a member of the Fast Identity Online (FIDO) Alliance, Microsoft has also been collaborating with industry partners like Yubico and Feitian Technologies to promote open standards for strong authentication and further extend the capabilities of Windows Hello and Microsoft Edge through the use of FIDO U2F security keys. These security keys (which resemble thumb drives) let you carry your credential with you and safely authenticate to an Azure AD joined Windows 10 PC. They are ideal for first line and mobile workers who need to authenticate securely on any shared Windows 10 device in the organization, without having to enter account credentials or set up Windows Hello beforehand. And the combination of WebAuthN and FIDO’s Client to Authenticator Protocol (CTAP) specification enables users to leverage their security key to safely authenticate to online services using a browser that supports FIDO2-based web authentication.
Considering that password-less authentication is the wave of the future, isn’t it time to begin planning for this change? Here are some ways you can get started:
- Enable Azure Active Directory (if you haven’t done so already)
- Enable multi-factor authentication for all your admin accounts (or better yet, for all your users)
- Turn on Microsoft Authenticator phone sign-in
- Identify and migrate any LOB applications to solutions that will support password-less authentication
- Deploy Windows Hello for Business
It’s important to understand that the deployment of Windows Hello for Business will likely require participation across multiple teams in your organization and involve planning around the following areas:
- The type of deployment, i.e. cloud-only, on-premises, or hybrid
- Selecting the appropriate version of Windows 10 best suited for your infrastructure
- How you approach management of devices and users
- The trust type you’re going to use for client authentication (key trust or certificate trust)
- The Public Key Infrastructure which serves as a trust anchor for authentication
The Windows Hello for Business planning guide can be used to help you make decisions on the type of deployment and the options you’ll need to consider. But the broad range of options can be overwhelming, leading to confusion. At Olive + Goose, we have a team of skilled and experienced IT professionals with years of experience ready to help you work through that. We would love to help you with the transition to password-less authentication and would be happy to discuss the benefits and potential pitfalls of making a change such as substantial as this.
Hopefully, I’ve whetted your appetite to discover more about this exciting technology. In addition to perusing the links sprinkled throughout this article, you can learn more directly from Microsoft at http://aka.ms/gopasswordless.