Password-less

protection
Reduce your risk exposure with password alternatives
Contents
03 /
Introduction
Passwords are no longer enough

05 /
Why eliminate passwords?
Moving away from passwords

08 /
Introduction to password replacement technology
What do we mean by password-less authentication?

09 /
Adopting a password-less strategy
10 Choosing the right technology
11 Windows Hello for Business
13 Microsoft Authenticator app
14 FIDO2 security keys
16 Comparing the Microsoft technologies for password-less authentication
17 Understanding how strong authentication works
18 Secure authentication flow architecture
19 Common misconceptions
21 User adoption
22 Old-school mentality
22 Educating users on new authentication methods

23 /
Summary

Password-less protection 2
Passwords are no
longer enough
IT around the world see the beginning of a new era, where
passwords are considered as a relic of the past. The costs now
outweigh the benefits of using passwords, which increasingly
become predictable and leave users vulnerable to theft. Even
the strongest passwords are easily phishable. The motives
to eliminate authentication systems using passwords are
endlessly compelling and all too familiar to every enterprise IT
organization. But how do you get there?

For enterprise IT departments, nothing

costs more than password support and
maintenance. It’s common practice for
IT to attempt lessening password risk by
employing stronger password complexity
and demanding more frequent password
changes. However, these tactics drive up
IT help desk costs while leading to poor
user experiences related to password-
reset requirements. Most importantly,
this approach isn’t enough for current
cybersecurity threats and doesn’t deliver on
organizational information security needs.

Password-less protection 3
81% of hacking-
related breaches
used either
stolen or weak
passwords
Source: Verizon 2017 Data Breach
Investigations Report

You can reduce

your odds of being
compromised by
up to 99.9% by
implementing
multi-factor
authentication
(MFA).
Source: Microsoft 2018 Security Research

Password-less protection 4
Why eliminate passwords?
Password authentication has always been challenging throughout
the evolving enterprise security landscape. A password is supposed
to provide a key to accessing an account and a security barrier to
protect the account from the attackers. To distinguish between
the account owner and the attacker, organizations have needed to
move beyond using just passwords for protection.

Multi-factor authentication (MFA)— However, depending on the

for instance, a pin and password, or implementation, MFA can also lead to
biometrics—has presented a more secure increasing complexity regarding the user
method for organizations. With increasingly experience. It’s imperative for for IT teams
complex access environments and more to deliver a seamless user experience while
access points than ever before, IT teams balancing security risk.
have every reason to add multi-factor
authentication options such as smart-cards,
hard and soft tokens, SMS, and more—
wherever users connect to resources.
By going beyond passwords to add
authentication steps, you can make user
access to your resources more secure.

Password-less protection 5
Many years ago, we started multi-factor
authentication with smart-cards to secure
the identity of our employees. Initially,
we used physical smart-cards to secure,
but it didn’t give people a smooth user
experience. Additionally, this also requires
a card reader in each hardware device
which can be challenging to implement
and also smart-cards are prone to be
lost or forgotten. Then we focused
on a nearly-friction-free experience,
from using biometrics that allows
people to use fingerprints, iris scans,
facial recognition, and even heartbeats
to authenticate their identity. These
technologies are easier to use, more
accessible to the needs and preferences
of the person, and are significantly harder
for criminals to exploit.

–Bret Arsenault, CVP & CISO, Microsoft

Source: Enterprise Security magazine

Password-less protection 6
 High Security

Password-less authentication
Passwords + standard
2 Factor authentication

Inconvenient Convenient

Passwords

Low Security

Today, IT security are moving toward password- Password replacement options can help
less authentication using advanced technologies organizations provide convenience
like biometrics, PIN, and public/private key and ease-of-use without high-security
cryptography. Plus, new standards like Web risks. Ideally, with password-less
Authentication API (WebAuthN) and Fast authentication, you can have a future
Identity Online (FIDO2) are enabling password- ecosystem of authentication that meets
less authentication across platforms. These the organizational needs of high security
standards are designed to replace passwords and privacy, usability, and interoperability
with biometrics and devices that people in your among different authentication devices.
organization already use, such as security keys,
smartphones, fingerprint scanners, or webcams. Moving forward, end-users should never
have to deal with passwords in their day-
to-day lives. And with an intuitive sign-in/
sign-up user experience, help desk costs
can be reduced.

Password-less protection 7
Introduction to password
replacement technology
What do we mean by password-less
authentication?

Password-less authentication, as we refer

to it in this brief, is a form of multi-factor
authentication that replaces the password with
a secure alternative. This type of authentication
requires two or more verification factors to
sign in that are secured with a cryptographic
key pair. The device creates a public and
private key when registered. The private key
can only be unlocked using a local gesture
such as a biometric or PIN. Users have the
option to either sign in directly via biometric
recognition—such as fingerprint scan, facial
recognition, or iris scan—or with a PIN that’s
locked and secured on the device.

Password-less protection 8
Adopting a 1. Choosing the right technology –
Develop password-replacement offerings

password-less with a new set of alternatives that address

the shortcomings of passwords while

strategy embracing their positive attributes. This

early stage is about implementing an
alternative and getting users acquainted
At its core, the underlying principle of with it.
password-less authentication is to eradicate
the use of passwords and thereby drain 2. Understanding how it works – Get
their value for attackers. Moving forward to know how password-less technologies
with this approach requires technologies overcome security challenges and reduce
that can support it—and time for the user-visible password-surface area.
organizations and users to adopt these Adopting these technologies means
technologies. Adoption also involves a new upgrading experiences related to the
mindset. Organizations have to understand life-cycle of a user’s identity—including
how the approach works with their flow provisioning of an account, setting up
of operations and make the necessary a brand-new device, using the account/
technical and cultural shift, so that users can device to access apps and websites,
operate in this new password-less world. and enacting recovery. It also means
deconditioning users from providing a
Here are the key considerations for password any time a password prompt
implementing password-less authentication shows on their computer.
into your MFA strategy:
3. Increasing user adoption – Simulate
a password-less world—that is, enable
end users and IT admins to replicate
the approach in a test environment and
transition into a password-less world
with confidence. This simulation should
encourage a cultural shift within the
organization—getting users comfortable
with the idea of never typing, changing, or
even knowing a password going forward.

Password-less protection 9
Choosing the
right technology
With biometrics on mobile phones and computers
becoming more ubiquitous, the number of password
replacement technologies has increased.

Microsoft offers solutions based on platform, As a member of the FIDO Alliance, Microsoft
hardware, or software that you can try out has been working with other alliance
today and map with your password-less members to develop open standards for the
authentication requirements. Introduced by next generation of credentials. As a result,
Microsoft in Windows 10, Windows Hello uses you can now use portable FIDO2 hardware
biometric sensors or a PIN to verify a user’s devices to log into a work machine or cloud
identity. The Microsoft Authenticator app is services on supported devices and browsers.
a software token that allows users to verify
their identity with a built-in biometric or a Let’s go into more detail on each of these
PIN when signing into their work or personal technology options.
accounts from a mobile phone.

Password-less protection 10
Windows Hello How it works

for Business The Windows Hello provisioning process

generates a cryptographic key pair bound
to the Trusted Platform Module (TPM) on a
Windows Hello for Business replaces device. Access to these keys and obtaining
passwords with strong multi-factor a signature to validate user ownership of
authentication on Windows 10 platforms, the private key is enabled only by the PIN
including PCs and mobile devices. This or biometric gesture. Taking place during
authentication consists of a new type of Windows Hello enrollment, the two-step
user credential that’s linked to a device verification creates a trusted relationship
and uses a biometric or PIN. It lets you between the identity provider and the user.
sign in with your face, iris scan, fingerprint, When a user makes the gesture through
or a PIN, and enables you to authenticate the device, the provider is able to verify
to enterprise applications, content, and the identity from the combination of Hello
resources without a password being stored keys and the gesture. This activates an
on your device or in a network at all. The authentication token that allows Windows
biometric data is only used locally and 10 to access resources and services. For
never leaves the device. further information, go to Windows Hello
for Business and Authentication.

Password-less protection 11
Windows Hello
for Business is
personal, simple,
and provides
a brilliant user
experience with
high security.
Our people love
logging on with
their fingerprint
or face.
–Peter Scott, Director of Dynamic IT,
British Telecom Technology

As of October 2018 there are 89 million active

Windows Hello users worldwide. More than 6,500
organizations have deployed Windows Hello for
Business. Major PC vendors are shipping devices
that have integrated Windows Hello-compatible
cameras or fingerprint readers.

Password-less protection 12
Microsoft Authenticator app
Millions of people are using the Microsoft Authenticator
app every day to better secure their sign-ins.

The Microsoft Authenticator app enables

How it works
users to verify their identity and authenticate
to their work or personal account. Microsoft
In place of encountering a password
Authenticator can be used to augment
prompt after entering a username, users
a password with a one-time passcode or
get a push notification to verify presence.
push notification. The app can also be used
In the app, users confirm their presence by
to verify multiple factors and replace the
matching a number on the sign-in screen,
need for a password. Instead of using a
then providing a face scan, fingerprint, or
password, users confirm their identity using
PIN to unlock the private key and complete
your mobile phone through fingerprint scan,
the authentication. This multi-factor
facial or iris recognition, or PIN. Built on
verification method is more secure than
secure technology similar to what Windows
a password and more convenient then
Hello uses, this tool is packaged into a
entering a password and a code. In some
simple app on a mobile device making it a
cases it doesn’t require any typing at all! For
convenient option for users. The Microsoft
further information, go to How to use the
Authenticator app is available for Android
Microsoft Authenticator app.
and iOS.

Password-less protection 13
FIDO2 How it works

security keys Microsoft has been working with partners

to ensure FIDO2 security devices work on
Windows, the Microsoft Edge browser, and
FIDO2 is an evolution of the U2F open online Microsoft accounts, to enabling strong
authentication standard based on public password-less authentication. For shared
key cryptography using hardware devices. device scenarios, security keys allow you to
This standard is intended to solve multiple carry your credential with you and safely
user scenarios including strong first authenticate to an Azure AD joined Windows
factor (password-less) and multi-factor 10 device that’s part of your organization.
authentication. With these new capabilities, You can use any shared Windows device
a security key can entirely replace weak belonging to your organization and
static username/password credentials with authenticate securely—without needing to
strong hardware-backed public/private-key enter a username and password or set up
credentials. These credentials cannot be Windows Hello beforehand. Unlike traditional
reused, replayed, or shared across services. passwords, these keys rely on high-security,
Devices and tokens that adhere to FIDO2, public-key cryptography to provide strong
WebAuthN, and CTAP protocols bring authentication. Plus, these keys have all
about a cross-platform solution of strong the benefits of a secured enclave to store
authentication without using passwords. credentials while also being portable,
Microsoft partners are working on a variety enabling more use cases for deskless and
of security key form factors, such as USB kiosk workers.
security keys and NFC-enabled smart cards.

Password-less protection 14
Security devices
fit nicely with our
current scenarios.
They are simple to
deploy and easy to
use. We see value
in rolling FIDO2-
enabled HID badges
to all 110,000+
Emirates Group staff
in the future.
–Emirates IT

Microsoft has been aligned with the FIDO

Alliance from the start; the alliance represents
250 organizations from various industries on a
joint mission to replace passwords with an easy-
to-use, strong credential.

Password-less protection 15
Comparing the Microsoft
technologies for password-less
authentication
Here are some factors for you to consider when choosing Microsoft password-less technology:

Windows Hello Microsoft Fast Identity Online

for Business Authenticator app (FIDO) 2 security
devices
Pre-Requisite Windows 10, version 1511 or Microsoft Authenticator Windows 10, version 1809
later app or later

Azure Active Directory Phone (iOS and Android Azure Active Directory
devices running Android
6.0 or above.)
Mode Platform Software Hardware

Systems and devices PC with a built-in Trusted PIN and biometrics FIDO2 security devices that
Platform Module (TPM) recognition on phone are Microsoft compatible

PIN and biometrics

recognition
User experience Sign in using a PIN or Sign in using a mobile Sign in using FIDO2 security
biometric recognition phone with fingerprint device (biometrics, PIN, and
(facial, iris, or fingerprint) scan, facial or iris NFC).
with Windows devices. recognition, or PIN.
User can access device
Windows Hello Users sign in to work or based on organization
authentication is tied to the personal account from their controls and authenticate
device; the user needs both PC or mobile phone. based on PIN, biometrics
the device and a sign-in using devices such as USB
component such as a PIN or security keys and NFC-
biometric factor to access enabled smartcards, keys,
corporate resources. or wearables.
Enabled scenarios Password-less experience Password-less anywhere Password-less experience
with Windows device. solution using mobile for workers using
phone. biometrics, PIN, and NFC.
Applicable for dedicated
work PC with ability for Applicable for accessing Applicable for shared PCs
single sign-on to device work or personal and where a mobile phone
and applications. applications on the web is not a viable option (such
from any device. as for help desk personnel,
public kiosk, or hospital
team).

Password-less protection 16
Understanding how strong
authentication works
Secure authentication Identity provider validates user identity
and maps the public key to a user account
flow architecture during the registration or provisioning step.
Authentication requires multiple factors,
All three technologies use the same proven combining a key or certificate tied to a
cryptographic authentication pattern, device and something that the person
with credentials based on the certificate or knows (a PIN) or something that the person
asymmetrical key pair. These credentials— is (biometrics). Private keys are securely
plus the token that is obtained using the stored on the device. Private keys are
credential—are bound to the device bound to a single device and never shared.
(Windows or FIDO2 device, or mobile These keys don’t roam and are never sent
phone). to external devices or servers.

The authenticator generates a key pair This kind of authentication requires a local
and returns the public key. Optionally, the gesture. PIN entry and biometric gesture
authenticator also returns an attestation to both trigger devices to use the private
the identity provider such as Azure Active key to sign data that’s sent to the identity
Directory. provider cryptographically. The identity
provider verifies the user’s identity and
authenticates the user.

Password-less protection 17
Secure authentication
flow architecture

3.

2.
1. Scan
Devices
User

Bio
4.

Hello

1. The user attempts to sign into their 3. Azure AD verifies the signature with the
account from a device. The device sends an public key in the user object and verifies
authentication request. The identity system (for nonce. Builds a Primary Refresh Token (SSO
example, Azure AD) requests validation. token) and an ID token and send them back
along with an encrypted session key. The
2. The user interacts with a local gesture (for user accesses applications without the need
example, biometric, PIN) from its device. The of authenticating again (SSO).
device uses the private key to sign nonce and
returns to Azure AD with key ID. A request/
signature containing both the nonce + the key
ID signed with the device key sent to Azure AD

Password-less protection 18
Common
misconceptions
Misconception 1: A PIN looks much like a password, which
may lead people to equate them. A PIN
Isn’t a PIN the same as a password?
can be a set of numbers, but enterprise
policy might allow complex PINs that
include special characters and letters, both
uppercase and lowercase. However, it’s not
the structure of the PIN that makes it better
(length, complexity), but rather how it
works. A PIN is tied to the specific hardware
device it was set up on. Without the device,
the PIN is useless. If someone stole your
PIN and wanted to sign in to your account,
they’d need your physical device too.

Misconception 2: Adopting password-less authentication

when still using legacy protocols does
If I use password-less authentication,
present challenges. However, for this
doesn’t that impact my legacy app and
purpose, Microsoft is developing a time-
protocols?
limited password—a kind of one-time
password with a current time or a time limit
that the user could generate when using
legacy authorization.

Password-less protection 19
Misconception 3: Microsoft understands how critical it is to
protect your biometric data from theft. For
Can’t a biometric access system
this reason, your “biometric signature” is
get hacked or spoofed?
secured locally on the device and shared
with no one but you. Plus, your signature
is only used to unlock your device and
never to authenticate you over the
network. As it just stores biometric or PIN
identification data on the device, there’s
no single collection point an attacker can
compromise to steal biometric data.
In a typical deployment of the FIDO2 and
Windows Hello, a user swipes a finger,
speaks a phrase, or looks at a camera on a
device to sign in. Behind the scenes on that
device, the biometric is used as an initial
factor to then unlock a second, more secure
factor: a private cryptographic key that
works to authenticate a user to the service.
A common biometric attack method
involves trying to spoof a person’s body
part, with the goal of tricking the system
into thinking that a fake is real. Any
spoofing or hacking attack would first
require that the attacker gains custody of
the device. Beyond the various layers of
protection, many biometric systems today
are building in “liveness detection” to
validate that a biometric presented is real.

Password-less protection 20
User adoption
No change is easy. Cultural and technical
challenges follow organizations as they proceed
with password-less authentication methods.

Every organization is complex; while Getting rid of passwords can help you
password-less authentication offers enjoy these benefits:
improved security and user experience,
most organizations need to fix many As a user, you can sign in faster to use
fundamental facets to start on this journey. applications and services. There are no
These fixes can be implemented over time passwords to create, store, or remember.
to additional groups to reduce your risk
of attacks and security breaches. That Password-less authentication delivers a
effort offers rewards, however. From a higher degree of trust and security for apps,
technological viewpoint, reducing the use devices, and service providers. You don’t
of passwords and eventually eliminating have to store passwords.
them can help you make a sea change in
both security and productivity for your It’s cost-effective for IT. IT support teams
organization. can be freed from endless password
problems.

Password-less protection 21
Old-school mentality Organizations need to educate their users
that:

It’s nearly impossible for an organization to

1. Hackers easily guess passwords. One
visualize how different individuals go about
encouragement could be that MFA is simply
their day-to-day activities, or to validate
making their password authentication
this password-less change accurately. It’s
better and stronger.
crucial for organizations to do just that.
Understand that you’re encouraging
2. Companies that have experienced data
people, including many in IT leadership,
breaches may have leaked user data to the
to switch from a widely adopted security
web. Hackers that obtain user information
system, like passwords, that’s very familiar,
can use that information to guess further
comfortable, and conventional. And don’t
passwords because users often use the
forget: change for most people is hard. Yet,
same, or a derivative password, for several
in this case, once users experience password
sites or services.
replacements, they’ll forget that they even
needed to enter passwords on a day-to-day
3. Phishing efforts often lead users to sign
basis or reset passwords on their own in a
in to fake sites, giving their usernames
self-service portal. You need to make them
and passwords away. With password-less
realize it’s simpler, better, and help them
authentication, this is an issue of the past
erase the mentality that a password is the
because the physical keys are bound to the
key to their world. Passwords are not enough
machines they use and FIDO2 tokens will
anymore. It’s time to go to the next level of
not authenticate with a website it doesn’t
authentication.
trust.

Educating users on new This awareness practice can answer some

authentication methods of the objections, encourage questions

and feedback, and explain the value of this
change. The user education enables and
The successful evolution of password-
inspires users to try the experience out.
less authentication heavily relies on user
acceptance. An awareness drive on these
new password-less authentication methods
can help users understand and affirm the
new way of authenticating to their devices,
such as using Windows Hello for Business or
Microsoft Authenticator-based applications.

Password-less protection 22
Summary
The adoption of modern multi-factor authentication
technologies—like biometrics and public key cryptography in
widely accessible devices—is one of the most impactful steps that
can meaningfully reduce a company’s identity risk. Given emerging
requirements, organizations can prepare themselves by making a
plan to start moving to to password-less technologies.

Going password-less is a long-term For more information, here are some

approach for secure authentication, resources that can help you get started:
and it’s still evolving. It can take time to
transition. You can start with a pilot of Overview of Microsoft password-less
one or more options. For users that can’t technologies
go password-less, turn on MFA to validate
users and minimize prompts based on Windows Hello for Business
the risk of the sign-in with conditional documentation
access capabilities. Use a password
filter to block leaked credentials and About the Microsoft Authenticator app
common passwords from being used with
password protection policies.

Password-less protection 23
© 2018 Microsoft Corporation. All rights reserved. This document is for
informational purposes only. Microsoft makes no warranties, express or
implied, with respect to the information presented here.
Password-less protection 24