"Microsoft", "cloud", "passwordless authentication"......................
................what could possibly go wrong?
Microsoft has said it will add end-to-end encryption for some one-to-one Teams calls later this year – and urged folks to move away from using passwords with Azure AD. The Teams improvements, announced at the tech giant’s Ignite conference this week, will be available "to commercial customers in preview in the first half of …
If you have a firm grasp of the whole concept, it's actually a damn site secure than having people type passwords in. It's an order of magnitude more secure to use a hardware token or authenticator to avoid phishing and as an MSP, from a helpdesk perspective it would save the number of calls on a daily basis ten-fold if we didn't have to do password resets, locked out accounts, etc. I know there are solutions out there, e.g FastPass to work around this but they cost mega bucks.
I, for one, am looking forward to Azure passwordless auth becoming the norm as it'll reduce our workload and make things more secure for the end user.
Lots of things... largely that replacing the secret component of authentication with a non-secret component is fundamentally stupid. Using facial recognition or fingerprints as an Identifier? That's fine, but as a replacement as a secret, such as a password? That never improves security.
“Passwordless” isn’t the same thing as biometrics. Biometrics data, like PINs, are just “gestures” for unlocking a security component such as a hardware FIDO2 token or Windows Hello (which may or may not be backed by a TPM), which among other things are engineered to resist brute-force attacks. The decision to accept or reject such a gesture is made locally. Unlike the password, no biometrics data or PIN is transmitted over the network.
Going passwordless essentially means that instead of passwords (which are often low-quality and reused), you’re now identified by a pair of public/private keys, and the private key is protected by a tamper-resistant token. If somebody steals your token, they _probably_ doesn’t have your PIN or biometrics to use it. You’ll have the opportunity to disassociate the token with your account or, if they try and fail too many (e.g., 5) times, the token will clear itself. Either way, the keypair is rendered useless.
Plus, nobody can guess your password—with or without your knowledge—if you don’t have a password in the first place.
You can argue that biometrics are fundamentally identifiers and are therefore unsuitable even as a way to locally unlock a security token. Actually PINs can get reused (and shoulder-surfed) as well. The point is these risks are much more manageable and eliminating passwords gives the user much more convenience and very often much better security.
" The point is these risks are much more manageable and eliminating passwords gives the user much more convenience and very often much better security."
Not if you applied for a job with the U.S. government prior to the OPM breach*, at which point your face and fingerprints are now the property of an organisation that is untrusted by everyone, with the added bonus of being unchangeable without very expenseive surgery.
note: or the breach of any other entity to which you had to provide biometric data
It depends what the password is protecting. If you want to stop people doing certain things from your computer, then yes it is bad. But if you want to ensure that a service can only be used from a particular computer, then it is more secure than a password. Someone could find out my password and I might never know. They are unlikely to be able to use my computer without me knowing.
Tell me what you believe is the more secure situation ... Allowing people to take money from your bank account if they know the password to that account, or allowing people to take money from your bank account if they have a physical credit or debit card associated with that account?
This is a different scenario - this is "something that you have", which is a different combination. However if you consider the "something that you have" scenario, consider chip+PIN - this is a combination of "something that you have", as in the physical card, as well as "something that you know", as in the PIN. This is considerably more secure than you just presenting your card and taking money out - although this is how contactless pretty much operates with the threat that sometimes we have to enter our PIN anyway and it does have the safety stop that the card may be stopped if reported stolen or lost.
Security is as secure as the least secure element in the chain. It doesn't matter if you have military grade security at every other step if one of the steps in the chain is a piece of string. Maybe a better example... :) you could have a very secure lock to your front door but if a copy of the key to the door is stored in a cheap'n'nasty "carer" or "emergency" key storage device, typically a combination lock, the overall security is not measured by the quality of your lock, it's measured by the security of the key storage device attached to your wall and the security and secrecy of the combination that is required to open it... or, typically enough, a small shim of metal as that's usually all it takes to open such locks. Biometrics is this combination lock - except it's worse as the combination may never be changed.
The biometrics that are the most issue are the entirely crap ones like face recognition or fingerprint... as in everything that the likes of Microsoft are pushing as being in some way "secure" or a replacement for a password. They do have their place, of course, like anything in security, but they are very far from any kind of solution on their own - they can enhance security when taken with other factors, but when used to replace other factors they reduce security.
The problem is that passwords are not really secret either. Using 2FA such as a phone is both easier to use and more secure. You can argue whether biometrics for the phone are sufficient or whether something like a TAN shoul also be required, but almost anything is safer than a password.
...With bio-metrics just means that the bad actors will need to learn how to spoof bio-metrics. How would this compare to enforcing the managed use of lengthy, randomized that are changed on a regular basis?
One huge benefit of using bio-metrics is that over time it limits the amount of data that needs to be processed in order to authenticate a user. Another is that no one (to my knowledge) has come up with a quick way to spoof bio-metrics...yet. However, our finger prints rarely change. The same is true for our faces. Once a bio-metric measurement has been cracked it should be considered insecure for the foreseeable future. In my opinion if passwords are long enough, random enough, changed often enough, and are securely hashed they will remain superior to bio-metric authentication, but perhaps inferior to using bio-metrics as 2FA with strong passwords.
Instead of trying to chase this Holy Grail I think Microsoft would be better off spending it's money learning how to apply the Shannon Limit to Dev Ops in order to reduce the number of bugs in released code to something close to zero. I think that Grail is more Holy than passwordless authentication..
Yes, biometrics, IMHO, are an identifier, not a secret. Fine for 2FA, but inadequate in the long run as a replacement for a password.
That said, I've been using Yubikeys and other cards for logging onto devices and services for a long time - again as a 2FA mostly, but more commonly for cloud services these days as a FIDO2 password replacement.
randomized that are changed on a regular basis
Randomized? Not such a great idea
Changed on a regular basis? May be not such a great idea either
When you ask for a regular password change, most of the time it becomes a numerical increment at the end of a basic password. Not that secure.
Strong passwords and 2FA are indeed a good thing. But to have the former, users should be educated and provided a password manager so they haven't to rely on their memory only.
"generally available" does NOT mean it's also available for on-premises Windows Servers who just want to deploy FIDO2 hardware keys for authentication in regular Active Directory systems, to get rid of passwords too.
If it has to be Azure-enabled... that means additional $$$$$, because Azure authentication management for hybrid Azure AD is not included with an on-prem Windows Server Standard license.
Azure Active Directory is a different kettle of fish than regular Active Directory.
"Azure AD users can ditch typed-in passwords altogether, and instead use things like biometrics (facial recognition and fingerprints)"
Biometrics should never be used as authenticators not least because:
 an authenticator is some form of shared secret but biometrics by definition are not secret as you carry them around in plain view and leave some of them behind wherever you've been;
 an authenticator must be amenable to being rescinded, but you can't rescind a biometric (short of "rubbing out" the party concerned);
 a single authenticator should not be used for multiple incompatible purposes, but you'll soon run out of alternatives for different purposes if biometrics are used.
The only valid use of a biometric is as an identifier. Authentication is the second phase after identification and should use something that complies with the above principles.
Quite apart from which, current "biometric authentication" systems don't actually use biometrics despite being tied to them. They use grossly simplified digests of them translated into numeric form. Such systems can be breached in many ways via compromise of the digest.
I continually despair at the barely trained monkeys at Microsoft, and other organisations, who, having no doubt been brought up on Hollywood movies, hold the utterly inexplicable belief that facial recognition or fingerprints are in any way a substitute for the secret component of authentication. They are not. As noted above, they are an adequate replacement for an identifier, but nothing else.
Dear Microsoft, please go to the back of the class and replace every instance of that phrase with "as well as passwords".
Adding an extra layer of authentication increases security. Replacing one form with another keeps you at about the same level, as we of course assume that exploits for it will be found, especially early on in the adoption phase.
To be fair to MS, "as well as passwords" is what they offer currently : we're logging in to MS services now with name, password and 2FA as mandatory. There are a few options that the Admin can set - text message, app based authentication and possibly others. Adding biometric-ish options to the list doesn't seem a big deal . Slow news day at Redmond I guess.
So most people on here will use a password manager to remember long and complex passwords? So have one master password for the manager.
The FIDO tech essentially the same thing - something to unlock the local password database (happens to be held in a TPM chip on a PC/[phone/key), rather than an encrypted database) - this is either a PIN (so device stolen, PIN socially engineered - hacker in) or bio-metric (can be hacked, just a bit harder?).
Once the database is "open" the secure password is used - password-less just replaces pasting the password into a text box with a much better public/private key exchange.
The actual pain point is that only works for a limited number of systems - so you still need "real" passwords for "legacy" systems.