A picture containing indoor, computer, keyboard, desk Description automatically generated

Password Freedom

Last Updated on June 26, 2022 by Oktay Sari

What does going passwordless mean to you? Think about that for a minute. It’s a long journey and we can’t get there in a few clicks. I’ve seen a lot of different implementations, but to me, going passwordless means password freedom. It means I no longer need to remember a complex string of letters, numbers, and special symbols. Suppose that I never received a password to begin with. Sounds pretty good, right? In a previous post I talked about Passwordless authentication with windows 10 and Azure AD and how to setup a FIDO2 security key.

In this post, we’ll look at Temporary Access Pass (TAP) to register a strong authentication method like the Feitian ePass NFC Plus FIDO2 Security key. A Temporary Access Pass is a time-limited passcode you can give to your users. It satisfies strong authentication requirements and users can register other authentication methods, including Passwordless ones.

We will create a user, that doesn’t know the password to begin with. Sounds like password freedom to me 😉.

There are some requirements to keep in mind:

  • Enable passwordless authentication methods in Azure AD
  • Enable passwordless security key sign in to Windows 10
  • Azure AD Multi-Factor Authentication
  • Enable Combined security information registration
  • Compatible FIDO2 security keys
  • For Azure AD joined devices the best experience is on Windows 10 version 1903 or higher.
  • Hybrid Azure AD joined devices must run Windows 10 version 2004 or higher.

Passwordless Authentication methods

I have enabled the following three Authentication methods in my test-tenant:

You might want to consider enabling the Microsoft Authenticator method while you’re at it, but do read the Microsoft documentation first!

Azure AD authentication methods

Enabling Temporary Access Pass

Update: TAP is now General available!

Go to the Azure portal and sign in as a Global admin.

Click Azure Active Directory > Security > Authentication methods > Temporary Access Pass.

Then Enable TAP, and configure the additional settings. Have a look at the Microsoft documentation about Temporary Access Pass for more info.

Temporary Access pass

To see how to enable FIDO2 Security Key, read my previous blog. That’s it. You’ve configured 2 authentication methods in Azure.

Feitian ePass NFC Plus FIDO2 Security key

For this test, I’m going to setup the Feitian ePass NFC Plus (K9) FIDO2 Security key. Other than the default USB interface, you can also register this key using NFC and that is great for mobile phones and other devices (like the surface line) that support NFC. It supports Android, iOS, Chrome OS, Windows, MacOS and Linux. Furthermore, it also supports OATH TOTP which is supported by Azure AD.

I have been using this key for a couple of weeks on my keychain. Configured different accounts and it works like a charm with both USB and NFC. A nice solid piece of key-like plastic with no flex or anything. I have dropped it, stepped on it, and submerged it when trying to get my dog out the water. Other than a little wear and a few nicks in the plastic there’s nothing wrong with it.

In This post, I will focus on Windows 11 and browser sign-in with the Feitian ePass NFC Plus FIDO2 Security key.  Another post is going to be about Android mobile devices and this same key. Once again, a big thank you goes out to Della Han from “FEITIAN Technologies Co., Ltd.” For providing the security keys for testing.

A picture containing indoor, computer, keyboard, desk Description automatically generated

User account setup

I have setup a user account with a very complex and random password and did not configure any authentication methods yet.

Update: TAP is now General available!

User authentication methods

Let’s add TAP as the authentication method:

  1. Click on Add authentication method
  2. Choose TAP as the preferred method
  3. Set the activation duration
  4. Set One-time-use (if set to Yes, the TAP can only be used once)
  5. Click on Add

configure Azure TAP

When you click on Add, it will show you the temporary access pass. This is what you need to share with your user.

Temporary access pass details

Note: Before you click on OK make a note of the temporary access pass because after clicking OK, there is no way to show the TAP again. If you did not take a note, you will have to create another TAP.

Note: Don’t forget to have a look at Jan Bakkers‘s in depth post on How to build a PowerApp – Temporary Access Pass Manager. Very useful!

Temporary Access pass User experience – Setup

Update: TAP is now General available!

Previously you could use the TAP during Windows Autopilot enrollment but Microsoft decided to disable that.

“A Temporary Access Pass cannot be used with the Network Policy Server (NPS) extension and Active Directory Federation Services (AD FS) adapter, or during Windows Setup/Out-of-Box-Experience (OOBE), Autopilot, or to deploy Windows Hello for Business.

Update: Since TAP is general available, Microsoft made some changes and I’m happy to read that you can also use TAP while enrolling a device with Autopilot:

I quote: “Users with a Temporary Access Pass can navigate the setup process on Windows 10 and 11 to perform device join operations and configure Windows Hello For Business

Remember that a TAP does NOT replace a user password! So how can we enable a user to sign in without a password? That is where the TAP and the security key comes in.

Temporary Access pass User experience - Setup

Then before typing the password, click on “Use your temporary Access Pass instead

Use your temporary Access Pass instead

Type in the temporary Access Pass and click on Sign in

temporary Access Pass

Now setup the Authenticator app for MFA. (you are still able to use your password if you need to) I’m going to skip this part and assume you know how this works. Just follow the instructions

setup the Authenticator app for MFA

When you are ready with configuring the Authenticator app, you will land on your Security Info page, where you can register Authentication methods that are available.

Now, lets add a security key;

  • Click on Add method
  • Select Security key
  • Click Add
  • Follow the instructions. If you want to learn more. See my previous blog

register Authentication methods

When you are ready, the security key will show on the Security Info page:

Security Info page

Windows Autopilot enrollment without a password

Now that we have setup a security key, the user is ready to enroll a Windows 11 device with Windows Autopilot, without needing a password. Instead, he is going to use the Feitian ePass FIDO2 security key. In the examples/screenshots below, I’ve used VirtualBox with a Window 11 VM because VirtualBox gives me the option to use security keys to log-in to Windows. I couldn’t find a way to use the security key with a guest in Hyper-V. If you do know how-to, please let us know. I’m skipping the Windows Autopilot enrollment to the point where it gets interesting.

In the next screen fill in your e-mail address and in the next screen click on “sign in with a security key

Windows Autopilot enrollment without a password

Insert your security key. That’s the one you configured previously.

Windows Autopilot enrollment without a password

Enter your Security key PIN code and click on OK

Windows Autopilot enrollment without a password

Finally, touch your security key

Windows Autopilot enrollment without a password

Get a cup of coffee…

Windows Autopilot enrollment without a password

Now setup Windows Hello

Windows Autopilot enrollment without a password

I’m using the Windows Hello PIN option here

Windows Hello PIN

You are now ready to sign-in using Windows Hello PIN or your security key

Windows Autopilot enrollment without a password - all set

Sign-in to Windows 11 with a security key

Let’s reboot the device and see what happens. Upon reboot, you will see the login screen asking to insert your security key.

Sign-in to Windows 11 with a security key

When you insert the key, it will ask for the Security key PIN. Type in your PIN and click on ENTER

Sign-in to Windows 11 with a security key

You’re good to go 😉

Sign-in to Windows 11 with a security key

Here’s the Windows 11 desktop.

Sign-in to Windows 11 with a security key

Now let’s start the Edge browser and see if SSO works.

Sign-in to Windows 11 with a security key

As you can see, everything is OK and password freedom already feels like…well…passwordless…

Passwordless experience on BYOD

When users want to sign-in to Microsoft 365 apps using a browser on a BYOD, they can sign-in using the security key.

Go to https://portal.office.com on a BYOD and type in your e-mail address

sign-in-office-365

You will be prompted to Sing in with a security key. Insert the key and follow the instructions:

sign in with security key

Type in your Security key PIN and click on OK

security-key-pin

There you have it. Even on unmanaged devices, there’s no need for a password.

Office 365

I’ve configured restricted access to SPO and OneDrive from BYOD for extra security.

Restricted-access-SPO

Final thoughts

Temporary Access pass helps with your passwordless journey and FIDO2 Security keys are a great next step. However, remember that even with all this configured, users are still able to actually use a password. They might not know their password, but with self-service password reset configured most of the time, they can simply reset their password. Especially when users forget their security key there is a risk, they will use passwords. Therefore, you should already think about the next steps.

Microsoft has a good document on passwordless strategy and explains the 4 steps to password freedom;

  1. Develop a password replacement offering
  2. Reduce user-visible password surface area
  3. Transition into a passwordless deployment
  4. Eliminate passwords from the identity directory

This post covers points 1 to 3 mostly and we transitioned a user to passwordless: The user never types the password, never changes the password and does not know the password.

The next step will be to:

  1. Eliminate the option to use passwords when signing into Windows by excluding the password credential provider.
  2. Only allow Windows Hello for Business or a security key to sing in to Windows
  3. Enable passwordless sign-in with the Microsoft Authenticator app

but that is something I might cover in another blog.

 

0 0 votes
Article Rating

Oktay Sari

#Microsoft365 | #Intune |#MEM | #Security | Father | #Diver | #RC Pilot & #Magician in spare time | Microsoft MVP

Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

2 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
trackback

[…] Password Freedom. What would a world without passwords look like? Pretty perfect, isn’t it? It’s closer than you can imagine. […]

trackback

[…] Password Freedom (allthingscloud.blog) […]