Security news that informs and inspires

Windows Now Supports Password-Less Authentication With Security Keys

Microsoft has taken a major step toward removing the need for passwords for most people logging in to Windows. Users can now use hardware security keys to sign in to their Microsoft accounts on any device that supports them, including mobile devices.

The company on Tuesday announced the change, which is the result of years of preparation and changes to Windows, with the eventual goal of eliminating passwords altogether. And it’s not just Windows that has benefited from this strategy either. In September, Microsoft enabled support on its Azure cloud platform for password-less authentication through the Microsoft Authenticator app.

The change in Windows authentication is a bigger shift, though, as it means that hundreds of millions of people can now forget about using passwords to log in to their Microsoft accounts. The new feature supports any security key that is FIDO2-compliant--such as a YubiKey--and people also can use the Windows Hello biometric authentication mechanism. Either way, no password is necessary to authenticate.

“This combination of ease of use, security, and broad industry support is going to be transformational both at home and in the modern workplace. Every month, more than 800 million people use a Microsoft account to create, connect, and share from anywhere to Outlook, Office, OneDrive, Bing, Skype, and Xbox Live for work and play. And now they can all benefit from this simple user experience and greatly improved security,” Alex Simons, corporate vice president of program management at Microsoft’s Identity Division, said.

“Unlike passwords, FIDO2 protects user credentials using public/private key encryption."

The FIDO2 standard is the latest specification for authentication using hardware keys. It’s designed to help obviate the need for passwords and make authentication simpler for users. Using a security key for authentication also makes phishing individual users much more difficult, as there’s no password to capture or reuse.

“Unlike passwords, FIDO2 protects user credentials using public/private key encryption. When you create and register a FIDO2 credential, the device (your PC or the FIDO2 device) generates a private and public key on the device. The private key is stored securely on the device and can only be used after it has been unlocked using a local gesture like biometric or PIN. Note that your biometric or PIN never leaves the device. At the same time that the private key is stored, the public key is sent to the Microsoft account system in the cloud and registered with your user account,” Simons said.

“When you later sign in, the Microsoft account system provides a nonce to your PC or FIDO2 device. Your PC or device then uses the private key to sign the nonce. The signed nonce and metadata is sent back to the Microsoft account system, where it is verified using the public key. The signed metadata as specified by the WebAuthn and FIDO2 specs provides information, such as whether the user was present, and verifies the authentication through the local gesture. It’s these properties that make authentication with Windows Hello and FIDO2 devices not ‘phishable’ or easily stolen by malware.”

The move to hardware keys as the main authentication method for Windows 10 was predicated upon Microsoft’s inclusion of support for the WebAuthn specification in Edge in July. That enabled users to authenticate to individual sites with FIDO2-compliant keys in Edge, a precursor to adding the same support in Windows authentication.