Microsoft Passport in Windows 10

Microsoft Passport has been around for quite a while. It serves as a single point entry to all of the Microsoft products such as Outlook.com, OneDrive, Messenger (when it was alive), People, contacts and more. In Windows 10, Microsoft Passport will replace passwords with strong two-factor authentication that consists of an enrolled device and a Windows Hello (biometric) or PIN. This post offers an overview of how Microsoft intends to use Microsoft Passport in Windows 10.

microsoft-passport-windows-10

 

What is Microsoft Passport

Broadly speaking, Microsoft Passport consists of 2  services – a single Sign-in service that allows members to use a single name and password to log in, and a Wallet service that members can use to make fast, convenient online purchases.

Two Factor Authentication in Microsoft Passport

Microsoft introduced Two-factor authentication a couple of years back, when cyber criminals increased their activities on the Internet. However, there have been some problems using the two-factor authentication in its current state.

First – you enter the password and then you receive a PIN that you have to enter. If on the phone, this becomes a problem, especially if phone’s RAM is low. Besides this, in its current scenario, when you wish to go for two-factor authentication, you have to create different passwords for different apps you use. You even have to create an “app password” for Microsoft Outlook email client and enter it instead of the real Microsoft password that you use for logging in via a web browser.

All this is set to change with Microsoft Passport in Windows 10. Right now, the two-factor authentication is optional. Microsoft will make it mandatory for all to use two-factor authentication. It won’t be as tough as it is now. There will be two keys, one with Microsoft and one with the user. The user needs just the user key to get access to protected Microsoft apps.

The primary key with Microsoft would be a certificate or a firmware. That is, you won’t have to enter that information into the login boxes. Then there will be a PIN that you will get. This PIN will open the doors to Microsoft products.

Windows Hello

We’ve already talked about the PIN. Users wanting more protection can opt for Windows Hello which would be some kind of gesture that you draw on the sign in screen to get access to protected resources.

Windows Hello is the name Microsoft has given to the new biometric sign-in system built into Windows 10. Because it is built directly into the operating system, Windows Hello allows face or fingerprint identification to unlock users’ devices. Authentication happens when the user supplies his or her unique biometric identifier to access the device-specific Microsoft Passport credentials, which means that an attacker who steals the device can’t log on to it unless that attacker has the PIN. The Windows secure credential store protects biometric data on the device. By using Windows Hello to unlock a device, the authorized user gains access to all of his or her Windows experience, apps, data, websites, and services, says TechNet.

Some of the current phones employ certain kinds of gestures for lock screen. It is to be seen how Windows Hello would be different from the current lock screens but Microsoft does say that it will be better than current gestures on lock screens and will provide enhanced security. According to TechNet, the gesture will be matched with the first step in two-factor authentication – the certificate that Windows assigned to you.

The first time will take a longer time as you have to get a certificate and then set up a PIN or Windows Hello. Once the entire thing is set up, you can access Microsoft products in future just by entering the PIN or the gesture you selected. Thus, there won’t be need to wait for a PIN to arrive by SMS. You just draw the gesture and you are in.

Prerequisites for Microsoft Passport

Before you can use Microsoft Passport in your enterprise, you will have to make sure you meet the prerequisites.

Microsoft Passport mode Azure AD Active Directory (AD) on-premises Azure AD/AD hybrid
Key-based authentication Azure AD subscription Active Directory Federation Service (AD FS) (Windows 10)A few Windows 10 domain controllers on-siteMicrosoft System Center 2012 R2 Configuration Manager SP2 Azure AD subscriptionAzure AD ConnectA few Windows 10 domain controllers on-siteConfiguration Manager SP2
Certificate-based authentication Azure AD subscriptionIntune or non-Microsoft mobile device management (MDM) solutionPKI infrastructure ADFS (Windows 10)Active Directory Domain Services (AD DS) Windows 10 schemaPKI infrastructureConfiguration Manager SP2, Intune, or non-Microsoft MDM solution Azure AD subscriptionPKI infrastructureConfiguration Manager SP2, Intune, or non-Microsoft MDM solution

How Microsoft Passport works in Windows 10

The Microsoft Passport, as said earlier, will be based on a certificate – an asymmetrical key pair – to keep the user data safe. Identity provider – the Microsoft account – will create a public key during registration process and will identify it every time user tries to log in. If firmware is used in place of certificates, they have to match: presence of such firmware should be there and the key stored cryptographically on the firmware should match the key generated during registration process.

Here is the tough part. The certificate will not work across devices as it will be stored locally on device, especially if it is a hardware based certificate. It is not even sent to server. Thus, it might force users to go through the registration process on each device separately. The public key (PIN or gesture), however, can be used on different devices thereby making things easier for the users as they won’t have to remember different PINs and gestures.

All said, this new feature in Windows 10 is sure to lead to user convenience and an increase in security.

Download this VPN to secure all your Windows devices and browse anonymously
Posted by on , in Category Windows with Tags
Anand Khanse is the Admin of TheWindowsClub.com, a 10-year Microsoft MVP Awardee in Windows (2006-16) & a Windows Insider MVP. Please read the entire post & the comments first, create a System Restore Point before making any changes to your system & be careful about any 3rd-party offers while installing freeware.

3 Comments

  1. ErnieK

    Andy
    Microsoft Passport in Windows 10
    Two-factor authentication:
    Three of the PC’s I maintane are owned by persons in thier 90’s [96 -94 & 91] 2 x running Win 7 and 1x Windows 8.1 and two of which do not have a mobile phone. One of these folks regularaly visits family member[s] and checks her mails every day at home or away when staying with family. In this scenario the certificate choice would work for her.

    The gentleman with the mobile will not give out his moblie number to anyone except familly and emergency contacts. There is no way will I be able to convince him to start using it as a secondary device to log into his hotmail [lookout] account. None of the folks have a second mail address or any other device so therefor the certificate would have to be sent to thier hotmail account. Will this be allowed? Or will they have to “borrow” a second mail address for a brief period of time to enable them to recieve the certificate? Having to remember a second [effectivly another password] PIN as well as their password will also possibly create problems.

    At present I have all of them using an mail-checking program [Pop Peeper] to check thier e-mail and to log into the accounts directly when wanting to reply or at least once a week to keep them in the habit of remembering thier passwords etc.

    So in these scenarios how will two factor work? At least one of the gentlemen [94 year old] is keen to upgrade to Windows 10 and this could be a factor [no pun intended] that will put him off upgrading. Will this two factor log-in also be needed for older OS’s [Win 7 & 8.1]?

    Finally.
    If someone has more than one HotmailLookout account [as some folks do] will the hardware be able to store more than 1 ID [for different HotmailLookout] mail addresses etc.? Will a user be able to remove a device from [firmware] ID?

    I think that this will be a good thing but will possibly create havoc for lots of folks as in the above.
    Ernie

  2. ErnieK

    OOPS!
    I kept say Lookout when I should have been saying Outlook. I have been working on someones tablet installing the Lookout program and setting it up.
    Sorry for the mix-up.

  3. mariakhan

    people if you want to activate the latest windows 10 you can easily do it through removewat gratias.. 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *


4 + 9 =