Azure Goes Passwordless

Image result for microsoft passwordless

Although in preview, Microsoft Azure now supports passwordless logins. You now have the option to support; FIDO2 security keys and the Microsoft Authenticator App.

When you hear FIDO2, you will most likely think of Yubikey.

Yubikey has been driving for a passwordless future for some time and are one of the top competitors on the market today. If you wanted, to know more, visit their website here: https://yubikey.com

Why do we need passwordless technology if we have MFA?

Thankfully, Multifactor authentication is slowly becoming the norm. With the help of Banks and online businesses enforcing the security control, accounts are become that little bit safer and users are becoming more aware.

Microsoft are a huge driver of MFA and state that enabling the control will prevent against 99.9% of account hacks.

I don’t know how true that is but it’s certainly in the 80-90s. Although secure, you need to be aware that MFA doesn’t support legacy protocols. Protocols such as IMAP/POP3 can be used to brute force O365 accounts for example. That being said, if the statement is purely based on authentication attacks that support MFA, then sure…

MFA is needed due to passwords offering minimum security. Passwords can even be stolen, cracked or brute forced. Without any additional verification in place, hackers can attempt to login to your account from anywhere.

Sure, a secure password may keep them at bay but just look at the most common passwords used over the years.

https://en.wikipedia.org/wiki/List_of_the_most_common_passwords
https://www.ncsc.gov.uk/news/most-hacked-passwords-revealed-as-uk-cyber-survey-exposes-gaps-in-online-security

As you can see, pretty poor. It’s even worse when you imagine that these can be reused across multiple accounts.

MFA was then introduced, and the technology offered a way to add an additional verification step. Something that the attackers wouldn’t have and would prove to the service that it’s you. It also offered a way to be alerted when attackers attempted to login to your account.

Great right?

Depends who you are asking. For most, it’s fine however it can be seen as inconvenient. Having to continuously prove who you are after entering your long secure password. Therefore, some businesses will either exclude certain traffic, allow for the device to “be remembered” or turn the feature off completely. It’s also worth noting that it can be bypassed.

As with business, it’s a balance being usability and security. Microsoft sum it up using a simple diagram:

https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-passwordless#fido2-security-keys

So how does passwordless authentication help?

It helps because you’re not authenticating with something that can be easily stolen, intercepted or used remotely. The attacker would need physical access to your authentication method. That could be a security key or mobile device. Something which you would always have on you.

The account would still technically have a password however it would be used less. In theory the only place it would be stored is on your phone and your identity provider (Example: Azure Active directory).

You wouldn’t have to frequently enter it; therefore, it would have less exposure. Because of this, you could set your password to something more complex. Even if you forgot it, you could continue to use the passwordless authentication should it remain on the device.

Just in case the password is stolen, you could also apply conditional access and enforce MFA.

Using passwordless authentication can help:

  • Reduce stolen credentials; Phishing, Keyloggers and unsecure sharing.
  • Reduce exposure externally; Brute force.
  • Reduce the reuse of passwords.
  • Reduce weak passwords.

A few more examples can be found here…

This authentication will also be wrapped up in further controls. Controls such as FaceID, PINs and Physical Security Keys.

You may be thinking some of these can be stolen and that would be true. The problem is, on there own they have no benefit. If you lost your YubiKey for example, the attackers wouldn’t know it was yours as it shows no identification.

You would have to be targeted closely for them to bypass whichever method you choose.

Enabling Passwordless Authentication In Azure

Now we know more about the technology, lets run through how to enable it

Firstly, you will need to login to your Azure tenant and go to the following section:

Home > Active directory > Security > Authentication methods:

Click on the Enable users for enhanced registration prompt at the top
(In Blue). You can then either enable for all or chose a few users for testing.

Once done, you can go back and select which authentication method to enable.

FIDO2 Security Keys

Once you click on FIDO2, you will again have the option to enable for some or all.

You will also have a few more options on the right should you wish to restrict how your users use the service.

For this example, I will run through the YubiKey setup. For YubiKey, you will first need to install the manager and set a PIN. This is the PIN that will be used to login to the synced account.

https://www.yubico.com/products/services-software/download/yubikey-manager/

Once you have your YubiKey setup, you can then go to: https://myprofile.microsoft.com/

Click on Security Info and choose Add Method:

Choose Security Key. If you don’t see this option, you’re not enabled for enhanced preview.

Choose USB:

The following will then load:

Click on Continue and Next and it will prompt for your PIN. This is the PIN you set within the YubiKey manager.

You will then have to touch your key.

If this is the first time your browser have seen this key, you will need to allow it:

Once allowed, it will take you back and ask you for a name:

The next time you go to login a service with your Azure account, you can select Security Key. You will not have to enter any email address or password for this login.

Your browser will then prompt for the security key to be allowed:

And that’s it. You are good to go.

Can this be brute forced?

Technically yes however, it will be restricted. The attacker would have to have your Security Key plugged in and guess your PIN. After multiple attempts it will ask you to remove it and start again. This helps prevent against scripted or remote attacks.

If after 3 tries they still haven’t guessed it, you will be required to enter the random password.

They will then get a single chance. Failure to guess again will result in the device being blocked.

Microsoft Authenticator App

If you go back to the original page, you can enable Microsoft Authenticator sign-ins.

Your will need to install the Microsoft Authenticator App on your mobile device and login with the used credentials. Once down, click the dropdown for the credentials and Enable phone sign-in.

You will then be prompted to register the phone and complete the steps:

Next time you login, you will need to enter your email address. Once done, it will then prompt you to use your authenticator app. It will look similar to this:

If you have biometrics setup on the device, this will also be prompted such as FaceID for the iPhone. This adds an additional layer.

Can this be brute forced?

Technically no as the prompt is random. What can be brute forced is the PIN on the mobile device itself. Should an attacker gain access to the device and only require a PIN (which they know), they could login. They would however need to be aware of the email address used but unfortunately this can be easily obtained as it’s on the device itself. For FaceID, it would be harder to crack.

As you can see, passwordless authentication can really help secure your identities. Allowing you to securely authenticate your users using a more convenient approach whilst still have MFA in place should the primary method fail.

Both passwordless methods do have chinks in their armour however with strong security processes in place, they can be mitigated. If the user’s device or key is stolen, they would need to report it immediately. If they did, this authentication method could be revoked. This is also something they could do themselves.

This can be more difficult with the security key as the user may feel like they have just misplaced it. They could then continue to use their password thinking they could find it later. If their authentication method is their phone, I imagine there would be more inclined to inform the business, or at least have it wiped.

For all this, education is key. Most humans are allergic to change and having security controls such as MFA or Security keys may come with “push back”. With the right level of education and support you may just be able to implement one of the methods above and move that step further towards a passwordless future.

Should you wish to read more: