Over the recent years, new methods of authentication security have emerged to fill this security void and Microsoft Passport is one such method that deserves exploration. This article will detail how to use Microsoft Passport in Windows 10, including what Microsoft Passport is, a little about how it works, prerequisites and implementation of Microsoft Passport in your organization.
What is Microsoft passport?
Microsoft Passport is a user authentication measure new to Windows 10 and is the response to the user privacy issue mentioned above. Instead of relying on a traditional password for user account security, Microsoft Passport uses two factor authentication (2FA). The two factors of this authentication method are usually the Windows device itself and a PIN chosen by the user. This offers enhanced information security over the password and, in many ways, makes the concept of the traditional password obsolete. It can be used to log into:
Microsoft accounts Azure Active Directory Accounts Active Directory accounts Non-Microsoft services that can support Fast ID Online (FIDO)
A little about how Microsoft passport works
Microsoft Passport uses a certificate based on an asymmetrical key pair to keep user information secure. The Microsoft account creates a public key pair upon registration which identifies the user whenever they log in. The user will choose a gesture (PIN, biometric) which is linked to a certificate. The Windows device attests to this certificate when it has TPM 1.2 or 2.0. If the device does not have a supported TPM, software is required. The private key always remains on the device and acts as one half of the 2FA with the other half being the user gesture.
Key-based vs. certificate-based
Microsoft Passport can use either hardware (key-based) or software (certificate-based) to perform identity authentication. Key-based is the most secure method of performing identity authentication where TPMs generate the key. In this scenario, an Endorsement Key (EK) certificate remains in the TPM. The EK creates root trust for all keys its TPM generates and is used to create an Attestation Identity Key (AIK). This is used as proof that the keys were generated by the same TPM for identifying providers through an attestation claim. Certificate-based refers to software identify authentication, which is used where no TPM exists on the Windows device. Organizations that use Public Key Infrastructure (PKI) can use it together with certificate-based Microsoft Passport for certificate management. This is not as secure as key-based identity authentication, which should be used whenever the device has a TPM.
Microsoft passport prerequisites
The following are the prerequisites for Microsoft Passport, both key-based and certificate-based.
Key-based authentication
Azure AD
Azure AD subscription
On-premises AD
Active Directory Federation Service (AD FS), originally released in Windows Server 2016 Technical Preview On-site domain controllers for Windows Server 2016 Technical Preview MS System Center 2012 R2 Configuration Manager SP2
Azure AD/AD hybrid
Azure AD subscription and AD Connect On-site domain controllers for Windows Server 2016 Technical Preview Config Manager SP2
Certificate-Based Authentication
Azure AD
Azure AD subscription Non-Microsoft Mobile Device Management (MDM) solution or Intune PKI infrastructure
On-premises AD
AD FS Active Directory Domain Services (AD DS) Win Server 2016 TP scheme PKI infrastructure Non-Microsoft MDM, Intune or Config Manager SP2
AD/Azure AS Hybrid
PKI infrastructure Azure AD subscription Non-Microsoft MDM, Intune or Config Manager SP2
Implementation of Microsoft Passport in organizations
Proper implementation of Microsoft Passport requires proper policy configuration. Consider the following policy factors when implementing Microsoft Policy in your organization.
Hardware TPM required
This value is set to No by default. When this value is changed to Yes, Microsoft Passport can only be provisioned with a TPM. If you leave it as No, it can be provisioned with software when no TPM is available and will use the TPM if it is available.
Maximum PIN length
The maximum PIN length is set to 127 characters by default. Attackers will have a more difficult time ascertaining a longer PIN.
Minimum PIN length
By default, the minimum PIN length is set to 4 and cannot be made shorter. This value also cannot be higher than the maximum PIN length.
Uppercase letters
Covering both the device and user, this value is set to 1 by default, which means that uppercase letters are not allowed for PINs. If you change this value to 2, at least one uppercase letter will be required for PINs.
Lowercase letters
This value is set to 1 by default meaning that lowercase letters are not allowed for use. When this value is changed to 2, you will be required to use at least one.
Special characters
This value is also set to 1 by default, meaning that it does not allow any special characters. Changing this value to 2 will require your PIN to have at least one special character.
Digits
This value is set to 2 by default, which means you will have to use at least one digit in your PIN. If you make no changes to the policy values, you will need to use at least four digits as your PIN.
Biometrics
The default value of this policy is set to No. This means that unless you change the value to Yes, only a PIN will be allowed as your Microsoft Passport.
Conclusion
Let’s face it: the password is probably going to join the ranks of the floppy drive soon. Windows 10 has introduced Microsoft Passport as an alternative method of user authentication. With the power of 2FA, Microsoft Passport is a more secure authentication method than passwords and may be the way of the future.
Sources
Microsoft Passport in Windows 10, TheWindowsClub Microsoft Passport, sourceDaddy Convenient two-factor authentication with Microsoft Passport and Windows Hello, Windows Blogs