Microsoft Passport has been around for quite a while. It serves as a single point entry to all of the Microsoft products such as Outlook.com, OneDrive, Messenger (when it was alive), People, contacts and more. In Windows 10, Microsoft Passport will replace passwords with strong two-factor authentication that consists of an enrolled device and a Windows Hello (biometric) or PIN. This post offers an overview of how Microsoft intends to use Microsoft Passport in Windows 10.
What is Microsoft Passport
Broadly speaking, Microsoft Passport consists of 2 services – a single Sign-in service that allows members to use a single name and password to log in, and a Wallet service that members can use to make fast, convenient online purchases.
Two Factor Authentication in Microsoft Passport
Microsoft introduced Two-factor authentication a couple of years back, when cyber criminals increased their activities on the Internet. However, there have been some problems using the two-factor authentication in its current state.
First – you enter the password and then you receive a PIN that you have to enter. If on the phone, this becomes a problem, especially if phone’s RAM is low. Besides this, in its current scenario, when you wish to go for two-factor authentication, you have to create different passwords for different apps you use. You even have to create an “app password” for Microsoft Outlook email client and enter it instead of the real Microsoft password that you use for logging in via a web browser.
All this is set to change with Microsoft Passport in Windows 10. Right now, the two-factor authentication is optional. Microsoft will make it mandatory for all to use two-factor authentication. It won’t be as tough as it is now. There will be two keys, one with Microsoft and one with the user. The user needs just the user key to get access to protected Microsoft apps.
The primary key with Microsoft would be a certificate or a firmware. That is, you won’t have to enter that information into the login boxes. Then there will be a PIN that you will get. This PIN will open the doors to Microsoft products.
We’ve already talked about the PIN. Users wanting more protection can opt for Windows Hello which would be some kind of gesture that you draw on the sign in screen to get access to protected resources.
Windows Hello is the name Microsoft has given to the new biometric sign-in system built into Windows 10. Because it is built directly into the operating system, Windows Hello allows face or fingerprint identification to unlock users’ devices. Authentication happens when the user supplies his or her unique biometric identifier to access the device-specific Microsoft Passport credentials, which means that an attacker who steals the device can’t log on to it unless that attacker has the PIN. The Windows secure credential store protects biometric data on the device. By using Windows Hello to unlock a device, the authorized user gains access to all of his or her Windows experience, apps, data, websites, and services, says TechNet.
Some of the current phones employ certain kinds of gestures for lock screen. It is to be seen how Windows Hello would be different from the current lock screens but Microsoft does say that it will be better than current gestures on lock screens and will provide enhanced security. According to TechNet, the gesture will be matched with the first step in two-factor authentication – the certificate that Windows assigned to you.
The first time will take a longer time as you have to get a certificate and then set up a PIN or Windows Hello. Once the entire thing is set up, you can access Microsoft products in future just by entering the PIN or the gesture you selected. Thus, there won’t be need to wait for a PIN to arrive by SMS. You just draw the gesture and you are in.
Prerequisites for Microsoft Passport
Before you can use Microsoft Passport in your enterprise, you will have to make sure you meet the prerequisites.
|Microsoft Passport mode
||Active Directory (AD) on-premises
||Azure AD/AD hybrid
||Azure AD subscription
||Active Directory Federation Service (AD FS) (Windows 10)A few Windows 10 domain controllers on-siteMicrosoft System Center 2012 R2 Configuration Manager SP2
||Azure AD subscriptionAzure AD ConnectA few Windows 10 domain controllers on-siteConfiguration Manager SP2
||Azure AD subscriptionIntune or non-Microsoft mobile device management (MDM) solutionPKI infrastructure
||ADFS (Windows 10)Active Directory Domain Services (AD DS) Windows 10 schemaPKI infrastructureConfiguration Manager SP2, Intune, or non-Microsoft MDM solution
||Azure AD subscriptionPKI infrastructureConfiguration Manager SP2, Intune, or non-Microsoft MDM solution
How Microsoft Passport works in Windows 10
The Microsoft Passport, as said earlier, will be based on a certificate – an asymmetrical key pair – to keep the user data safe. Identity provider – the Microsoft account – will create a public key during registration process and will identify it every time user tries to log in. If firmware is used in place of certificates, they have to match: presence of such firmware should be there and the key stored cryptographically on the firmware should match the key generated during registration process.
Here is the tough part. The certificate will not work across devices as it will be stored locally on device, especially if it is a hardware based certificate. It is not even sent to server. Thus, it might force users to go through the registration process on each device separately. The public key (PIN or gesture), however, can be used on different devices thereby making things easier for the users as they won’t have to remember different PINs and gestures.
All said, this new feature in Windows 10 is sure to lead to user convenience and an increase in security.