World Password Day

A green trash can placed against a gray brick wall

Forget passwords. Passwords are garbage. To celebrate World Password Day, I’m curating blog articles that can help organizations on their passwordless journey.

While much of the Microsoft documentation on passwordless is quite good, it can tend to be overwhelming at times; the hope is to give you some great leads on some clear, step-by-step instructions on how to get you from a password-filled to a passwordless world in Active Directory and Azure AD.

With each link, I’ve provided a rough time estimate for how long the process should take, given a dedicated effort. There may always be the fringe case or two where passwordless is more complex – if your existing environment has things such as ADFS and using smartcards, or has DC’s older than 2016, you have a bunch of Mac’s in your environment, as examples. It always helps to review the documentation, which I also link to.

If you want to dive further into why this is so important, I’ll refer you to these two blog articles from Alex Weinert [@Alex_T_Weinert], the Director of Identity Security at Microsoft.

Your Pa$$word doesn’t matter – Microsoft Tech Community – Alex discusses why MFA is so important.

All your creds are belong to us! – Microsoft Tech Community – Alex discusses why passwordless strong authentication is important and shows why more common forms of MFA are still phishable.

See something missing? Still have questions? Not sure how the underlying technology works? Reach out to me.

And if you are a fellow Microsoft blogger who thinks their article would be a good fit, but it’s not on here? Reach out and I’ll update accordingly.

But I haven’t started the passwordless journey yet

You aren’t alone. Many organizations find it difficult to fit yet another new project onto the docket.

The thing about passwordless – while it may be a journey, it’s also one of the easiest journeys to start. All major mechanisms of passwordless – Windows Hello for Business (WHfB), FIDO2 security keys, Authenticator App for primary authentication, and smartcards – they all can be implemented in a wave/phase/ring (pick your favorite descriptor) approach. And the underlying directory & infrastructure changes (if any) can be implemented in a non-disruptive manner.

Can’t get the whole organization onboard? That’s ok, x% is better than 0%.

Don’t have biometrics on all your devices? WHfB has PIN support.

End-users not wanting to MDM enroll their devices? Authenticator App only requires Device Registration.

FIDO2 feel odd or uncomfortable? It’s essentially modern smartcards.

Have some applications that still use legacy means of authentication? Most organizations do, but we can minimize the need to use passwords beyond them.

Concerned users may still use their password because you can’t fully get rid of it? When we give users an easier passwordless experience, they will not opt for something more complex. Users love easy things.

When talking about the security of identity, the most important thing we can all do is change our mindset. Instead of focusing on the possibility that a single solution may not cover 100% of user personas, we need to focus on whatever percentage we can cover, which will reduce the password attack surface immensely for those users, and our organization.

Authenticator App for Primary Authentication

Infrastructure effort: 5-10 minutes
End user enrollment effort: 5-10 minutes
Can be rolled out selectively: Yes
Can be enabled on an end user without forcing them to enroll: Yes

Lots of folks might be familiar with the Microsoft Authenticator App, but did you know you can use it for passwordless authentication? You can. It’s great for when users need to be passwordless when accessing company resources from a mobile device, or when they are on the go and need to auth through a web browser.

Jason Samuel [@_JasonSamuel] has a good write-up here covering enablement. He also gets into Citrix Workspace stuff, but even if you don’t have Citrix in your environment, the other parts are written straightforward:

How to setup password-less phone sign-in authentication with Microsoft Authenticator, Azure AD, and Citrix Workspace – JasonSamuel.com

Microsoft Docs article for reference can be found here:

Passwordless sign-in with the Microsoft Authenticator app – Azure Active Directory | Microsoft Docs

⚠️Note that if you are also using the number matching preview for Authenticator App push notifications, the passwordless configuration is covered under the same settings in Azure AD. If you are using groups to selectively rollout these settings, I cover targeting groups here:

Azure AD: Increasing Security within the MFA Experience – Eric on Identity

FIDO2 Security Keys

Infrastructure effort: 20 minutes for AADJ devices. 40 minutes for HAADJ devices.
End user enrollment effort: 5-10 minutes
Can be rolled out selectively: Yes
Can be enabled on an end user without forcing them to enroll: Yes

FIDO2 security keys are the latest and greatest thing – it’s based on asymmetric cryptography – what we generally refer to as certificates (even though a key is a piece within a certificate).

Many organizations that have never operated in a highly secure environment where smartcards are prevalent may find the idea of a device containing a certificate for authentication seeming a bit odd. But we should look at FIDO2 security keys as smartcard 2.0 – it’s all the great security features of smartcards, but packed and managed in a way that makes it easier to manage from both the IT and end-user side.

For a great deep dive on how FIDO2 works, look at this article by Dominik Hoefling [@DominikHoefling]:

Understanding How FIDO Makes Passwordless Authentication Possible (practical365.com)

To see how to configure your environment to support FIDO2 for Azure AD Joined devices, Peter Klapwijk [@inthecloud_247] has us covered. He uses Feitian keys but any supported FIDO2 key will work:

Enable passwordless authentication to Windows 10 with Feitian security keys | (inthecloud247.com)

Peter also has a great article covering the same, but for Hybrid Azure AD Join:

Enable passwordless security key sign-in in Hybrid Azure Active Directory environments | (inthecloud247.com)

Microsoft Docs articles for reference can be found here:

Passwordless security key sign-in – Azure Active Directory | Microsoft Docs

Passwordless security key sign-in Windows – Azure Active Directory | Microsoft Docs

Passwordless security key sign-in to on-premises resources – Azure Active Directory | Microsoft Docs

Windows Hello for Business

Infrastructure effort: 20 minutes [Azure AD Join Cloud Trust], 1-2 hours [Hybrid Cloud Trust], 2 hours-3 days [Hybrid Key Trust]
End user enrollment effort: 2-5 minutes (plus 30-60 usability delay for Hybrid Key Trust)
Can be rolled out selectively: Yes
Can be enabled on an end user without forcing them to enroll: No
1
1There are mechanisms that can delay end-user enrollment but the complexity usually is not worth the effort

Windows Hello for Business. It’s like Face ID, for Windows. Or is Face ID like Windows Hello for Business, but for iOS🤔?

If you don’t have a fancy camera, it also works with your fingerprint. And if you have no fancy biometric thingies, you can use it with just a PIN. But wait, isn’t a PIN the same as a password? NO. The PIN is entropy to unlock the key/certificate that is stored on the TPM chipset on your device. It’s never emitted beyond the device. And yes, you always must create a PIN – the same way you always must create a PIN for mobile devices as backup for biometric… just in case.

Also – if you are rolling out Hybrid Key Trust, you do not, I repeat, do not, need any premium licenses. The issue many organizations have theoretically faced is that to enroll in WHfB, you hit the part where you need to perform MFA, and organizations that do not have P1+/EMS E3+/M365 E3+ (and the variants) believe that they cannot use MFA. That is not the case. You need premium licensing when certain things are calling for MFA – such as per-user enablement (which is an O365 license thing), or more commonly thought of, conditional access. When Azure AD calls for MFA for WHfB enrollment, that MFA call is free. Considering that security defaults, which are also free, call for MFA potentially, this should be less of a concern. But it’s always been a huge point of confusion. I learned about this in excruciating detail when I worked at Microsoft, rolling out WHfB with customers. Based on what I can gather regarding Hybrid Cloud Trust, I would say the case is the same. /endrant

If you have Azure AD Joined devices and are looking to go cloud-only, Janusz Gal [@JanuszGal] has you covered with his article here:

How to set up Windows Hello for Business for cloud-only devices – Device Advice

If you want to ensure that those devices can still reach Active Directory based resources, look no further than this article by Ben Whitmore [@byteben] and Michael Mardahl [@michael_mardahl]:

SSO to domain resources from Azure AD Joined Devices – The MEGA Series – Part 1 – Overview – MSEndpointMgr

For rolling out what previously was (and technically still is, because Cloud Trust is in Public Preview) the recommended path for hybrid devices, Hybrid Key Trust, check out this article by Brooks Peppin [@brookspeppin]:

How to Setup Windows Hello for Business (Key-Trust Method!) – Brooks Peppin’s Blog

For what will eventually become the recommended path for hybrid devices, Hybrid Cloud Trust, see this article by Pim Jacobs [@pimjacobs89]:

Improving your Windows Hello for Business Hybrid Password less setup by using Cloud Trust – Identity Man (identity-man.eu)

If you are curious what it looks like to convert from Hybrid Key Trust to Hybrid Cloud Trust, check out my article:

Windows Hello for Business: Hybrid Cloud Trust – Eric on Identity

And if you are far enough down the passwordless road that you want to take them away from end users, then check out this article I wrote:

Living in a Passwordless World: Password Management – Eric on Identity

Microsoft Docs articles for reference can be found here:

Azure Active Directory join cloud only deployment – Windows security | Microsoft Docs

Hybrid Cloud Trust Deployment (Windows Hello for Business) – Windows security | Microsoft Docs

Hybrid Key Trust Deployment (Windows Hello for Business) – Windows security | Microsoft Docs

Hybrid Certificate Trust Deployment (Windows Hello for Business) – Windows security | Microsoft Docs

Azure AD Join Single Sign-on Deployment – Windows security | Microsoft Docs

Some Great Additional Resources

Fabian Bader [@fabian_bader] has a long series on passwordless:

Passwordless – Category – Cloudbrothers

Jan Bakker [@janbakker_] has some quality articles covering FIDO2:

FIDO – JanBakker.tech

Harri Jaakkonen[@HarriJaakkonen] is constantly putting out new articles, and lots that cover passwordless:

Set-AzWebApp -name “Anything Microsoft and other stuff on the side” (cloudpartner.fi)

Final Notes

Passwords will eventually have an expiration date. It’s better to start the journey away from them now, than get caught behind the ball down the road.

About this posts featured image

The chosen photo is the work of Mak, used under the Unsplash license.

I picked a garbage can because passwords are garbage and belong in it.

Eric Woodruff
Eric Woodruff

Leave a Reply

Your email address will not be published.

This blog is about all things identity and identity adjacent. Right now, the focus is primarily on Azure AD and the Microsoft identity world, but it could have potential to expand in the future.

Read More
Mailing List

Subscribe to posts here

Categories