Passwordless is Microsoft’s strategy to improve enterprise security and enable end-user convenience at the same time. The era of passwords is slowly coming to an end and Microsoft offers readily-available solutions for your colleagues to sign-in to their devices and services.
However, with its many passwordless methods, Microsoft isn’t making it easy for identity admins to choose and deliver a powerful sign-in method to their organization.
Available passwordless sign-in methods
Microsoft offers the following built-in passwordless sign-in methods:
- Microsoft Authenticator App sign-in
- Windows Hello for Business
- FIDO2-based Security Keys
Each of these methods have their areas of implementations, their strengths, weaknesses, opportunities and threats. Below, I’ll also provide a description of each of the methods. Let’s look at these, per sign-in method:
Microsoft Authenticator App sign-in
The Microsoft Authenticator App was originally aimed as a multi-factor authentication tool, but has evolved into a security broker on mobile devices to allow (passwordless) authentication to apps communicating with Microsoft services like Outlook, Teams and OneDrive.
- When you are already using Azure multi-factor authentication, then it’s easy to upgrade to passwordless; you already have the Authenticator app!
- Microsoft Authenticator App sign-in is the best solution for mobile users
- Microsoft Authenticator App sign-in is the best solution for non-PC users
- Microsoft Authenticator App sign-in can be used to Azure AD-join a Windows 10-based devices (since Windows 10 v1909).
- Microsoft Authenticator App sign-in cannot be used to sign into Windows-based devices interactively with domain accounts. Sign-ins are only available to personal Microsoft accounts (formerly known as Windows Live IDs) and work or school accounts (Azure AD accounts, both cloud and hybrid).
- Microsoft Authenticator App sign-in on Android devices requires Android 6.0 or up. This may rule out the use of older and/or cheaper Android-based devices.
- Availability of the latest version of the Microsoft Authenticator App relies on the update settings of the mobile device used, if not managed by a mobile device management (MDM), or mobile application management (MAM) solution.
- Currently, an Authenticator App can only be registered to a single work or school account. If you want to turn on phone sign-in for a different work or school account, you must unregister the other account.
- Microsoft Authenticator App sign-in can be used to bootstrap Windows Hello for Business.
- In many organizations, Microsoft Authenticator App sign-in would require colleagues to use their personal device for corporate purposes. Not everyone agrees to this arrangement. Some countries forbid such arrangements and might require you to purchase (costly) devices.
Windows Hello for Business
For the first time in the history of Windows, Windows 10 offered built-in authentication using face and fingerprint recognition. Known as Windows Hello, it made signing into devices faster and more convenient to end-users. Under the hood, when communicating with services and remote systems, Windows Hello used old protocols. It wasn’t until Windows Hello for Business that Microsoft Windows offered a true passwordless method.
- Windows Hello for Business is the best solution for information workers with dedicated Windows 10-based PCs.
- Windows Hello for Business offers unphishable credentials for sensitive resources.
- Windows Hello for Business is available to Azure AD-joined and Hybrid Azure AD-joined devices. Authenticating using Windows Hello for Business on these devices allows for single sign-on access to both cloud and on-premises resources.
- Windows Hello for Business only works with Windows 10-based devices.
- Windows Hello for Business is not available for domain-joined devices, unless the Active Directory environment is synchronized to Azure AD, and Hybrid Azure AD Join feature is in use.
- Windows Hello for Business needs to be enrolled for each Windows 10-based device individually. The maximum number of supported Windows Hello for Business enrollments on a single Windows 10-based device is 10.
- Windows Hello for Business relies on TPM chips to provide strong authentication.
- Not all methods are available in all passwordless scenarios. The PIN authentication mode is not available for Azure AD user accounts.
- Support for connecting to Remote Desktop Services (RDS) environments is currently only supported with certificate-based deployments.
- Windows Hello leverages the same user experience that colleagues may already use at home to sign into their devices. Deployment may not require much user training.
- For Hybrid Windows Hello for Business deployments, Active Directory must run the Windows Server 2016 schema, the Windows Server 2008 R2 Domain Functional Level (DFL) and the Windows Server 2008 R2 Forest Functional Level (FFL), or up.
- Further on in your organization’s passwordless journey, you may start to disable unwanted Windows Hello for Business authentication methods. However, the PIN authentication method may not be disabled on the Windows 10 start screen.
- Except for the PIN and the picture password, all other Windows Hello for Business authentication methods require hardware, like a fingerprint reader or a biometric face recognition camera. Adoption of Windows Hello for Business might require a hardware refresh.
- Microsoft will be deprecating the Windows Hello companion device framework in the future.
FIDO2-based Security Keys
Windows Hello for Business Security Keys are Microsoft’s name to FIDO2-based security keys, when you use them with Windows Hello for Business on a Windows 10-based device.
However, as the FIDO alliance strives to develop and promote authentication standards, FIDO2-based security keys work in many passwordless scenarios.
- FIDO2-based security keys use open standards.
- FIDO2-based Security Keys are the best solution for information workers with dedicated Windows 10-based PCs
- FIDO2-based Security Keys offer strong unphishable credentials that cannot be eavesdropped. Authentications rely on key pairs and encryption.
- FIDO2-based Security Keys can be used with all major Operating Systems.
- FIDO2-based Security Keys can be used to both sign in interactively (CATP) and to sign in to web services (WebAuthN).
- FIDO2-based Security Keys will need to be purchased.
- FIDO2-based Security Keys require a logistical process to deploy.
- FIDO2 WebAuthN is supported since Windows 10 v1809 only.
- FIDO2 Interactive Windows sign-in (CATP) is:
- supported since Windows 10 v1903, but only for Azure AD-joined device and when the combined MFA/SSPR registration is enabled.
- currently available in Public Preview for Hybrid Azure AD-joined devices. It requires Windows 10 Insider build 18495, or up.
- not available for on-premises domain-joined devices, that are not (hybrid) Azure AD-joined.
- In the Azure AD infrastructure, FIDO2-based security keys do not utilize the Azure Multi-Factor Authentication (MFA) infrastructure. They offer the same availability as passwords, yet allow strong authentication.
- Current USB-A security keys and keys equipped with an Apple lightning connector may soon be outdated due to the shift to USB-C.
- As with smart cards, FIDO2-based security keys may fall victim to tagging with user names and/or purposes.
- Although governed by standards, The security level offered by FIDO2-based security keys rely on the implementation by the manufacturer. This has already been shown.
- The key pairs and encryption algorithms used by FIDO2-based security keys may not be quantum-proof.
I don’t think you should aim for the passwordless silver bullet for your organization, but instead offer and even combine several sign-in methods to make your colleagues’ passwordless journeys a success.
Based on the strengths of the methods above, these rules of thumb hold true for preferred passwordless authentication methods:
- Use Windows Hello for Business on Windows 10 dedicated devices
- Use Microsoft Authenticator for mobile and non-PC scenarios
- Use FIDO2-based security keys on shared devices and to protect admin credentials
As some use cases overlap and others have distinct gaps, make sure you have more than one, up-to-date, verification method associated with any account.