I Don't Get It...
I get that they know it's your device you're using to log on from, but if you aren't providing a password or biometric key then how do they know it's you, and not just the person who's stolen your device?
It's taken a while, but it has finally arrived. You can sign into your Microsoft account with a suitable dongle or Windows Hello, with passwords consigned to history. Well, that's the theory. There are, as ever, some caveats. Microsoft's corporate veep of all things identity, Alex Simons, trumpeted that the 800 million people …
"so be careful that when a person steals your phone they don't also take your finger."
No need to take your finger. Anyone's fingerprints are easy to obtain (they're probably on the case of that stolen phone), and once you have them then it's pretty simple to fool the fingerprint reader and unlock the phone.
They need to access the "secure enclave" on your device to sign the nonce, and to unlock that enclave they will need your PIN or biometric etc.
Based on how similar things work, I think it is much better than that: the nonce is passed to the device to be signed, so the private key never goes anywhere outside the device.
So the PIN or whatever is used locally to authenticate requests to sign.
Hopefully the nonce issuer is also authenticated, eg by signing it and having this verified by a public key added to the device.
how do they know it's you, and not just the person who's stolen your device?
Easy, you obviously secure the private key with a password you enter each time Microsoft sends you a nonce.
They've replaced passwords (plural) with a password. How novel.
Now hackers only have to figure out one secret instead of many to control your whole life. Or, rather, the few sites that care to use Microsoft's new feature.
I find the apparently incredibly popular "auth sticks don't make you perfectly secure so they're worthless" argument rather disingenuous. Yes, it's obviously true - nothing can possibly authenticate you absolutely perfectly, duh. Anything can be either stolen, faked, divulged or guessed. And yes, depending on what local authentication (if any) a stick/token requires to work they can be worse at that job, locally, than a strong password would be.
But they offer something no passphrase can - protection against remote attackers; yes your token may be vulnerable to people who are physically right next to you, but it should protect against anyone who isn't - and that may well be all that some of us need. Outside high-value targeted ops, almost all identity theft occurs remotely, via phished or stolen and decrypted credentials. Tokens do stop that, leaving you only having to secure a physical artefact - a task most of us have quite a bit of experience with.
No, it's not perfect - it can be stolen or lost, and then you're down to PIN / fingerprint / whatever it uses for local auth to protect you hopefully just long enough until you notice it missing and invalidate it; yes, that _is_ a window of opportunity. And make no mistake, absolutely nothing, _nothing_ can protect you against duress. But auth tokens are a formidable protection against the type of threats 99.99% of people can expect to face day to day and it's still a heck of a lot better than any password alone...
Having used a KEY-ID U2F device in linux for a few week now. I can say they are the way to go. You can have more than one key linked to an account, so do this. Thus you have spare keys, or a master key if your the admin for a host of services.
The protection that these offer is protection from remote theft of credentials. Someone has to press the button on the device. MITM is greatly mitigated too. I would suggest that a password would be better protection than a pin. That way if your unfortunate enough to loose your machine and key, you still have some protection. Each service that requests auth should also have some certificate chain to verify who they are the port and service or namespace (forgive my manglement of the correct jargon).
Just be aware that if you want them to authorise against google services, that you set your browser to forget cookies on close, or it will forever keep you logged in.
These aren't perfect, but they sure raise the bar for stealing remote accounts.
> . You can have more than one key linked to an account, so do this
Unless you're using some tiny, idiotic service no-ones heard of like.... Twitter.... who've decided you can have just one registered at any time.
Most services are a bit more sane though, I've been using a set of KEY-ID devices for a little while too. My only complaint with them is how bright they decided to make the LED, so when you shift slightly you end up with a bright spot in your vision for a little while.
how do they know it's you, and not just the person who's stolen your device
They are relying on you keeping your PC and authtication device in separate places.
In other words - they don't and will happily inform you that "it's your problem" if someone steals both devices.
in practice such an event hasn't occurred within living memory.
Well, except for that one time two days ago when all their second factor stuff died for a very extended period... But other than that! Oh yeah and that one time a few days before where the entirety of office365's outlook email service died for 4 hours.. But other than that!
To be fair though presumably one can authenticate the old fashioned way still..
"locks you out the second the auth server goes down."
That's a problem with every authentication server.
It doesn't matter if you're using a password, some kind of two-factor dongle, a fingerprint scanner, or magical quantum entanglement, you still have to rely on something to authenticate your credentials.
Of course, you could have your authentication on your local machine, but then you have bigger problems than not being able to authenticate, when it goes down.
No. Linux, (use the yubi-key mods to /etc/pam.d/common-auth). Chome or firefox (after about:config security.webauth.u2f=True) and tell them do dump cookies on exit.
Yubi key seems to have support for windows logins pre the lates 10. I haven't yet dared to try the latest 10.
It's good stuff!
No, it isn't. My PC can* run W10 but doesn't have TPM. I think you are getting confused with the MS requirement for NEW devices to have TPM as stated here:
"As of July 28, 2016, all new device models, lines or series must implement and be in compliance with the International Standard ISO/IEC 11889:2015 or the Trusted Computing Group TPM 2.0 Library and a component which implements the TPM 2.0 must be present and enabled by default from this effective date."
The above is taken from: https://docs.microsoft.com/en-us/windows-hardware/design/minimum/minimum-hardware-requirements-overview
Older devices can run W10 (if they must) even if they don't have TPM.
*It doesn't actually have W10 on it at the moment - I am not that stupid! However, I do have an SSD in my desk drawer that has W10 installed (upgraded for free about 2 years ago from a clone of my W7 install) for when W7 goes end of life. Once every so often I put that SSD into my PC just so it can update itself to the latest horror-filled TITSUP version. Then I put it back in the drawer and carry on using W7.
I've got Edge fired up and my FIDO2 dongle. Let's give this a try...
(Azure Europe overloads)
(Azure Europe goes down)
(Azure Europe fails over to Azure North America)
(Azure North America overloads)
(Azure North America goes down)
(Azure North America fails over to Azure Asia)
(Azure Asia overloads)...
Uh-oh.
Relatively speaking that's not too bad, it's the laughing hysterically (The Sunderland Car Factory Executive & Automated Mail Unit story) coughing up a mix of beer & recently eaten bit of strawberry cheesecake & snorting that out of your nostrils that really smarts (While still laughing) alot.
Icon - Holding a clean hanky to the affected area .
... who probably turned off Hello first thing during their rollout when they discovered that Batman (tm) was trying to log into to a laptop using it, because it locked onto the person's shirt instead of their face.
Facial recognition is till in it's infancy; And despite biometrics having been around for the better part of 30 years, it's still not in widespread use except as a second (or additional) authentication factor, and even then it's not infallible.
and requiring internet access to unlock the machine locally? what happens if I'm trying to troubleshoot why the internet has gone down and I need to unlock the workstation? how does it fall back? what's the action if it fails?
Microsoft use it, so that's pretty widespread. Password change at least once a year or whenever you have to type it and realise you've no idea what your password is. Hello doesn't use the camera so not really what's been around for 30 years since laptops have not had the tech for 30 years. It falls back just fine; the device does know the credentials even when the user forgets. The difference here is that credentials aren't constantly being typed in front of strangers or sent over the Internet so the barrier to Pwning someone is higher than 8 year old kids with a script.