Passwords offer weak protection but “they’re darn cheap to implement,” a recent Forrester report points out. That’s why passwords continue to be the go-to protection for so many systems. But with the ever-growing list of password breaches – not to mention the availability of faster hardware, making password cracking an increasingly trivial task – 56 percent of firms told Forrester they want to move away from passwords in the next three years.
Windows 10 can be part of a strategy for doing that, and, thanks to Microsoft’s participation in the FIDO Alliance, any changes you make to support that strategy will work across a wide range of devices and authentication options.
Several services offer ways to do away with passwords today. Yahoo recently introduced a “password-free” account key that uses a push notification on a registered iOS or Android device that lets its Yahoo Mail users confirm that they’re trying to log in. If you’d like to use that model for your own apps, Twilio recently launched the OneTouch option for its Authy authentication service that lets you use a similar mobile push notification to have users confirm their login, instead of using passwords. You can also use it for other sensitive transactions, making it more than just a password replacement.
“OneTouch is the next generation beyond using a soft token or a one-time code via SMS, and you can use it for authentication and for authorisation,” says Twilio’s Marc Boroditsky. “That could be a parent approving a transaction for a child, or multiple parties in escrow or a workflow sequence of approvals.” Payroll companies and digital signing services are planning to use the system to handle transactions that need to be authorized by multiple people.
“We have non-repudiation built in,” says Boroditsky. “We have a digital record of the authentication taking place that’s not just someone clicking OK on their computer.” Authy OneTouch doesn’t use biometrics to replace a password; instead it considers multiple signals. It isn’t just that you’re using your own phone; it’s where you are and how you’re behaving. Are you on the other side of the world, connected via a VPN instead of on your office network? If the system decides your login is unusual, it won’t just sign you in; at that point, it might ask you to use two-factor authentication, including biometrics.
That’s easier to add to a new application rather than a system that was designed to work with passwords, he admits. “To make this really universal, this is where FIDO plays a role. We do two-factor authentication, we are working with FIDO – and when there is FIDO it will be easier.”
FIDO stands for Fast IDentity Online; the FIDO Alliance is a cross-industry group trying to replace passwords with simpler and stronger authentication that works across multiple devices and services. The first generation of FIDO supports two key protocols. The first, Universal 2nd Factor, is adding a second factor to the standard username and password; the difference from familiar authentication hardware like RSA’s SecureID is that FIDO U2F hardware like the Yubikey doesn’t only work with one service; you can use the same device to authenticate to Google Apps, PayPal, DropBox and other FIDO-compliant systems. The credentials never leave the device, so they can’t be compromised in a breach and each service uses a separate key pair.
The FIDO Universal Authentication Framework protocol uses biometrics – like a fingerprint sensor or iris scanner, or voice or facial recognition – to unlock a cryptographic key on your device and use that to authenticate to the service you want to use; at that point, you don’t need a password at all. That’s in phones like the iPhone and the Samsung Galaxy S5, but it doesn’t let you use the phone as the authentication device for your other devices.
That device-to-device capability is a key feature in the FIDO 2.0 specifications. It’s not just about being more convenient for users, who only have to register and unlock one device (although that’s important for getting people to use FIDO systems). It also means you could connect to a FIDO service on a Mac or PC with no fingerprint sensor, using an Android phone that has one. (It also helps future-proof the system; if we develop a new biometric identifier in five years, you could use that to unlock existing devices and services.)
To make that really useful, we need the other main goal of FIDO 2.0; what the FIDO Alliance calls “ubiquitous platform support.” As FIDO Alliance president Dustin Ingalls explains, “The mission of the FIDO Alliance has always been stronger, simpler authentication: stronger to help protect data, and simpler to address the problems users face trying to create and remember multiple usernames and passwords. In order to achieve this mission, FIDO authentication needs to be available everywhere … on all the devices you use and with all of the apps and services you use.” That means getting FIDO support out of the box, not as an add-on later.
The 72 FIDO-certified devices available so far are a start, as is the W3C standards organization planning to take key FIDO 2.0 protocols and turn them into the basis of a new Web Authentication Working Group and a Web API that browser and web services can use to exchange FIDO credentials. “How do we ‘kill passwords’?” asked the W3C blog about the proposed Web API. “The FIDO 2.0 specifications, which define a unified mechanism to use cryptographic credentials for un-phishable authentication on the Web,” is one answer.
But the way you might first see FIDO 2.0 showing up in your business is via Windows 10. The Microsoft Hello technology in Windows 10 uses biometrics like facial recognition, fingerprints and – with Windows Mobile phones – iris scanning to sign you into your account. And the Microsoft Passport two-factor authentication built into Windows 10 can use that biometric verification (which doesn’t roam between devices and is never sent to a service) instead of a PIN to unlock cryptographic tokens (also stored in secure hardware on the device) that log you into services – replacing both passwords and physical smart cards.
The combination means there are no credentials to steal or leak. And unlike smartcards, you don’t need a PKI to deploy credentials to devices; because Passport is built in to Windows 10, just setting up a Microsoft account in Windows enables Passport.
If that sounds familiar, it’s because those are the principles of FIDO. And because – along with Google, PayPal and Nok-Nok Labs – Microsoft is behind the key specifications submitted for FIDO 2.0.
“We are on a mission to replace passwords with strong, user-friendly authentication for consumers and businesses alike, for all the devices people use every day against all the services people use every day,” says Microsoft’s Chris Hallum. “We designed Microsoft Passport for this purpose, but we wanted to solve the challenge beyond just Microsoft devices. Participating in FIDO and contributing all of the Microsoft Passport specifications to the FIDO 2.0 working group will help reach our shared goal of strong authentication everywhere.”
Passport at work
With Windows 10 Pro and Enterprise, you get Microsoft Passport for Work, an “enhanced” version that lets you choose the PIN strength and enforce what biometrics you trust centrally.
For your users, it means they can sit at their computer or pick up their phone, and be logged into your network, the enterprise services they’re supposed to have access to, and even their bank account, without ever typing in a password they could forget or having to remember to carry a hardware dongle they can lose or leave at home.
The FIDO 2.0 specifications aren’t finished yet. Microsoft calls Windows 10 “a reference implementation of the concepts” and plans to make sure it complies with FIDO 2.0 once it’s complete (which Hallum suggests will be “in the coming year”). Microsoft is also planning to add the device-to-device feature, which it calls remote unlock, and have it work with all FIDO devices. “Microsoft Passport was designed to give users and the hardware ecosystem choices,” Hallum says. “In the future with, users will be able to use a FIDO-compliant device (a phone, a fob, or a wearable) to seamlessly unlock their Windows PC and authenticate to Web services, pay for purchases or any number of other authentication activities.”
[Related: Top 10 security stories of 2015]
Building some of these scenarios for your own business will mean using Windows Server 2016 as a domain controller for Active Directory and setting up mobile device management using Intune or System Center Configuration Manager, but you don’t have to wait until that ships. Here’s why:
Hello and Passport can already sign you into key Microsoft consumer services like Outlook.com and OneDrive. And, says Hallum, “organizations that want to use Microsoft Passport for strong authentication can use it on devices where Azure Active Directory is providing authentication services to get access to thousands of SaaS applications like Office 365 and Salesforce. As of the November 2015 update, organizations using Azure Active Directory and Active Directory on premises can use their Microsoft Passport credentials to get access to all their onsite business network resources, as well as cloud based resources with single sign-on and never be asked for corporate credentials.”
So how close is the idea of sitting down at your PC and having Windows Hello and Passport sign you in to your expenses app, your CRM system and your bank account? “Organizations that want to provide business software services have a few options,” says Hallum. “For example, a bank could choose to rely on Azure Active Directory or Microsoft Account to authenticate the business or consumer user. Or the bank could choose to perform their own authentication using Microsoft Passport technology.”
FIDO-based consumer services may be some way off, says Twilio’s Boroditsky. “There's nobody that believes passwords should continue; there's no advocate for perpetuating this broken system.” But he adds it could take time “until there are enough FIDO devices to be meaningful.” He says one credit card company working with Authy (and itself signed up with the FIDO Alliance) “estimates it could be three years until there’s a critical mass for their user base so they can say ‘use your FIDO device’ and not offend customers who don’t have a FIDO device.” For businesses serving consumers, “having a solution that serves the entire spectrum of the market is necessary.”
But for your own business, you may be able to move more quickly to kill off passwords by deploying Windows 10, especially once the remote unlock feature means you can do that with phones and other secondary devices. Given the risks of password breaches and credential theft, this is something you need to start planning for sooner rather than later.