Microsoft has outlined how it plans to make Windows 10 a completely password-less experience for the enterprise and ensure credentials can’t be cracked, breached, or phished.
To win over enterprise users Microsoft and Google are battling and sometimes collaborating on the goal to eradicate passwords from sign-in processes. Microsoft has now claimed a breakthrough on this front — albeit one with a few preconditions for now.
Following this week’s release of the Windows 10 April 2018, the Windows-maker detailed some of the effort behind its goal of “building a world without passwords” -- a world where even if a fingerprint doesn't register, there'd be no need to fall back on a password.
Of course, that password-less world leans towards Microsoft platforms and products like Windows and Azure, but the ultimate goal is to kill password-dependent workflows entirely for signing into apps and services in the context of an enterprise identity directory like Active Directory.
The preconditions for a password-free experience include that a device has been set to Windows 10 S ‘mode’, a locked down version of Windows 10 where apps can only be installed from the Microsoft Store. It’s also limited to enterprise users that login through a cloud-based Microsoft managed service account or Azure Active Directory.
Microsoft doesn’t see passwords as inherently worthless. They may be insecure, inconvenient, and expensive to maintain, but passwords also work on multiple platforms, are portable and are easy to provision.
But with this major release of Windows 10 Microsoft has created a way for enterprise to get a glimpse of what a world without passwords would be like. Microsoft is offering a way to "simulate a password-less world", so that enterprise can plot a path to fully killing off passwords from the identity directory.
The key tools behind Microsoft's password-less effort are Windows Hello biometric authentication for Windows 10, which uses asymmetrical public-private key pairs (PKI) rather than a shared secret; and the Microsoft Authenticator app.
The third is Windows 10 S, formerly a distinct locked-down version of Windows 10 Pro designed to compete with ChromeOS, that as of the Windows 10 April 2018 Update is a ’mode’ that Windows 10 Home and Windows 10 Pro can be set to.
“With Windows 10 in S mode, we are enabling our cloud users (Managed Service Account or Azure Active Directory) to be able to go through the entire life-cycle of using their Windows 10 PC with S mode enabled without ever having to enter their passwords,” said Karanbir Singh, a principal program manager for enterprise and security at Microsoft.
After setting up the Authenticator app to work with a Managed Service Account (MSA) and/or Azure Active Directory (Azure AD) account, the login page will present an option to “Use the Microsoft Authenticator app instead”.
With S mode enabled, users will have the option to use the Authenticator app to sign-in to their account without passwords during the setup.
Microsoft is still some way off achieving a password-free world in part because the aspiration relies on support from all browsers and apps.
“Windows Hello and our mobile Authenticator app are both great alternatives to passwords. But to create a world without passwords, we need an interoperable solution that works across all industry platforms and browsers,” notes Singh.
To address this, Microsoft is supporting the FIDO2 standard for security keys in Windows Hello.
Microsoft’s efforts here aren’t limited to Windows 10 S but rather focus on scenarios where multiple users need to sign-in to a Windows computer, which could benefit from security keys, such as Yubico’s USB keys, for secure sign-in. The Windows Hello FIDO2 Security Key feature is now in limited preview.