Last year, I had the opportunity to do in-person presentations about going Passwordless and also wrote many blogs about this topic. In this post I wanted to share some of the information I talk about during these presentations and give you a better idea of why you should consider going passwordless. I will also share some fun facts, look at what options we have, and help you start your passwordless journey. This post is a little less technical and more of a summary of some of the interesting things that I think might help you get started.
The Compatible Time-Sharing System (CTSS), an OS introduced in 1961, was the first computer system to implement a password login. The man who started all this, a.k.a. ‘the father of computer passwords‘ was Fernando J. Corbató.
The bad thing about Passwords
Password are Hard to remember but very easy to guess! Think about it. If you have a strong password, it will most likely be very hard to remember. At the same time, this same password is easy to guess. Or should I say it’s easy to brute force the password using a dictionary attack. So it’s easy for computers to guess.
Take a look at the example below. The password Tr0ub4dor&3 seems to be strong enough, but hard to remember. But for the current brute force and dictionary attack tools very easy to guess. Up to date tools can even take care of common substitutions we use to make passwords stronger. Or so we think…
On the other hand, a password like ‘ correct horse battery staple ’ existing of four random words, are easier to remember and at the same time, difficult to guess or brute force.
Infographics designed by https://xkcd.com
It seems to be human nature and we can’t help but try to even make it easier to remember, the easy passwords we use. So we come up with hints and some sort of mnemonic to help our lazy brains to remember an easy password. To give you an example; for the random four words password ‘ correct horse battery staple ’ you could use any object on your desk, to help you remember your password. But then again, these objects should always be there to help you remember right? So what can we do? We design our own mug in the color green (=correct) with a picture of a horse, a battery and a staple. Now every time you pick up your muck to have a sip of your coffee, you’ll remember it’s your password; correct horse battery staple.
But don’t fool yourself! Someone with good social engineering skills, will pay attention to these little details when walking around the floor like a super hero support engineer or telco employee coming for the rescue (and steal valuable information along the way).
I would still recommend to go with a good password manager and create true random passwords of 25 characters or more. I know it’s almost impossible to think of a mnemonic for the password ‘ *eo4qrP 8AvN- erxUB c#ARYs pZ$Nrs2h ‘ This is a 5 words (if it counts as words) truly random password. Good luck brute forcing (or remembering) this one.
And yet again, it’s human nature to try and make things as easy as possible. We are lazy creatures.
Did you know that May 4th 2023, is World Password Day? (First Thursday every May)
What is passwordless?
With passwordless methods, the password is removed and replaced with something you have, plus something you are or something you know.
We’ve come a long way since the time we only used passwords… (Pauze…) You don’t use only passwords right? If you are in the yellow zone then you are already on the right track. If possible, try to move to the blue zone as soon as possible. I know it’s been said so many times, but Multi Factor Authentication (MFA) is the very least you should use these days. And if you are ready to take it to the next level, then you’re using passwordless authentication methods.
If you want to read more about passwordless, have a look at one of my previous posts:
Passwordless authentication with windows 10 and Azure AD or check out all my previous posts on this topic by doing a search: You searched for passwordless
The more passwords a user needs to manage, the higher the risk of leaked credentials, because we tend to use weak passwords, or even worse, we reuse passwords across different accounts. The most important business drivers for adopting passwordless is Security and User experience. Simple as that!
Did you know that the average person has about 38.4 online accounts? And most of these accounts still use a username password combination for authentication. Guess what? With so many accounts, many will use the same password across different accounts! I’ll let the infographic below speak for itself.
Source: SC Magazine, National Cyber Security Centre, Verizon 2020 Data Breach Investigations Report, Windows Central
To improve the security of systems, admins implement password polices to ensure that users are creating strong passwords. However, it also make passwords difficult to remember, decreasing the overall usability. So it’s a dance of balance… And what better balance than having happy users, who don’t need to remember passwords. From a security perspective, you have a very strong authentication method. That’s what passwordless can do for you.
The interesting Authentication methods are the ones we can use for both the primary authentication method (replacing the password), as wel as the secondary authentication method. In the table below you can see that these are;
- Windows Hello for Business
- Microsoft Authenticator app
- FIDO2 security key
Note: Although the documentation and table below still show Certificate-based authentication in preview, At Ignite 2022 Microsoft announced general availability of Azure Active Directory Certificate-Based Authentication.
Users can bootstrap Passwordless methods in one of two ways:
- Existing Azure AD MFA methods
- Using a Temporary Access Pass (TAP)
Users with a Temporary Access Pass can navigate the setup process on Windows 10 and 11 to perform device join operations and configure Windows Hello For Business. It also allows users to onboard other authentication methods including passwordless methods such as Microsoft Authenticator or FIDO2. This makes TAP your new best friend, when thinking about going passwordless.
Working passwordless on Windows devices
Here’s a video I created for working passwordless on Windows devices, showing you the complete setup and configuration in the back-end, as well as the user experience when;
- Enrolling Windows using TAP
- Configuring Windows Hello for Business
- Then configuring a FIDO2 Security key
- The user performs a passwordless Sign-in
Working passwordless on mobile devices – User experience
Here’s another short video I created for working passwordless on mobile devices , showing you the user experience on an Android device. In short it will show you how to
- Configure the Authenticator App
- Setup phone Sign-in
- Configure Outlook (MAM only)
- Configure a work profile
- Company Portal App
- Sign-in from another device
How to start with passwordless
You might be wondering how to start your own passwordless journey and I hope this blog and the other blogs I wrote about passwordless in the past will help you get started. Let me know what you think. Are you already using passwordless authentication methods? I invite you to share your tips and findings below.
You’re already there if you’re reading this post. Gather as much information as you need, and make sure it’s relevant to your own scenario.
After you’ve done your research, start testing passwordless solutions in your test tenant. It might not be possible to rebuild your exact production tenant, but try to get familiar with the authentication methods, FIDO2 and Temporary Access Pass.
When you are ready with testing, you can start with a small pilot group of users in your test tenant, and when you’ve gathered feedback, start with the same pilot group in your production tenant. You can always add more people to your pilot group, but make sure there is a definition and action plan for your pilot. Remember, pilots have a start, and an ending. I’ve seen many tenant in a never ending pilot loop 😊.
Start slow and evaluate
The pilot is done, you can start migrating users to your preferred passwordless method. How you do this, depends on a lot of factors but for most enterprises, a big bang is not an option. So carefully plan your passwordless strategy. Make sure to evaluate along the way, so you can make adjustments and improvements. In the end, it’s all about a frictionless user experience.
Transition into passwordless deployment
This is your end-game. When you’ve transitioned to a passwordless deployment, your users will never have to type or remember their password, because they never get to know what their password is. The only thing close to a password, is the Temporary Access Pass (a one-time password).
Here’s another article from Microsoft describing Windows’ password-less strategy and how Windows Hello for Business implements this strategy. The Four steps to password freedom.
Personally, I look forward to the step ‘eliminate passwords from the identity directory’ but I think it’ll take a while before we are there. Imagine creating a user account in Azure AD, with no option to create a password for that account. A user account born, without a password.
- Password Freedom
- Eliminating passwords
- What is your excuse for passwords
- Passwordless authentication with windows 10 and Azure AD
- going passwordless on shared Windows devices
- Working passwordless on Mobile devices