Eliminating Passwords: A Security Initiative

Aleks Pavlinik

Chief Information Security Officer at Stored Technology Solutions, Inc.

How FIDO2 hardware keys, passkeys, and Windows Hello for Business can enhance security and user experience 

Passwords are one of the most common and widely used methods of authentication, but they are also one of the most vulnerable and inconvenient. Passwords can be easily guessed, stolen, reused, or compromised by phishing, malware, or breaches. Moreover, passwords create a burden for users who have to remember and manage multiple complex passwords for different accounts and services. 

Fortunately, there is a better way to authenticate users without relying on passwords. FIDO2 is a set of standards that enable passwordless authentication using cryptographic keys or biometrics. FIDO2 hardware keys and passkeys are two forms of multifactor authentication (MFA) that provide strong security and user-friendly experience. Windows Hello for Business is a feature of Windows 10 that leverages FIDO2 to enable passwordless sign-in to Windows devices and Microsoft accounts. 

In this article, we will explain the benefits of eliminating passwords as a security initiative, and how FIDO2 hardware keys, passkeys, and Windows Hello for Business can help achieve this goal. 

Why Eliminate Passwords? 

Eliminating passwords as a security initiative has several advantages, such as:

  • Enhancing Security: Passwordless authentication reduces the risk of credential theft, phishing, brute-force attacks, and account takeover. FIDO2 keys and passkeys are based on public-key cryptography, which means that they do not store or transmit any shared secrets that can be intercepted or compromised. FIDO2 keys and passkeys also offer protection against man-in-the-middle attacks, replay attacks, and malware.
  • Improving User Experience: Passwordless authentication simplifies the sign-in process and eliminates the need for users to remember and manage multiple passwords. FIDO2 keys and passkeys are easy to use and can be registered and used across different devices and platforms. Windows Hello for Business allows users to sign in to Windows devices and Microsoft accounts with a simple gesture, such as a fingerprint scan or a facial recognition.
  • Reducing Costs and Complexity: Passwordless authentication reduces the operational and administrative costs and complexity associated with password management. Passwords require constant maintenance, such as resetting, updating, enforcing policies, and auditing. Passwords also generate a high volume of help desk calls and tickets, which can be costly and time-consuming. Passwordless authentication eliminates these issues and frees up resources for other tasks.

How FIDO2 Hardware Keys and Passkeys Work? 

FIDO2 is a set of standards developed by the FIDO Alliance, an industry consortium that aims to promote interoperable and secure authentication solutions. FIDO2 consists of two main components: the Web Authentication (WebAuthn) API and the Client to Authenticator Protocol (CTAP).

The WebAuthn API enables web browsers and web applications to support passwordless authentication using FIDO2 authenticators, such as hardware keys or biometric sensors. The WebAuthn API allows users to register and use FIDO2 authenticators as a primary or a secondary factor of authentication, depending on the web application’s policy.

The CTAP enables communication between FIDO2 authenticators and devices, such as laptops, smartphones, or tablets. The CTAP defines two versions: CTAP1 and CTAP2. CTAP1 is also known as FIDO Universal Second Factor (U2F), which enables FIDO2 authenticators to be used as a second factor of authentication, in addition to a password. CTAP2 enables FIDO2 authenticators to be used as a primary factor of authentication, without a password.

FIDO2 hardware keys are physical devices that can be plugged into a USB port, inserted into a smart card reader, or connected via Bluetooth or NFC. FIDO2 hardware keys generate and store a unique pair of public and private keys for each web application that the user registers with. The private key never leaves the device and is protected by a PIN or a biometric verification. The public key is sent to the web application and stored on the server. When the user wants to sign in to the web application, the web application sends a challenge to the FIDO2 hardware key, which signs it with the private key and sends it back to the web application. The web application verifies the signature with the public key and authenticates the user.

FIDO2 passkeys are alphanumeric codes that can be entered on a device’s keyboard or touchscreen. FIDO2 passkeys are derived from a master secret that is stored on a FIDO2 authenticator, such as a hardware key or a biometric sensor. The master secret is combined with the web application’s domain name and a counter to generate a unique passkey for each sign-in attempt. The passkey is sent to the web application and verified with the master secret and the counter. The web application authenticates the user and increments the counter.

How Windows Hello for Business Works? 

Windows Hello for Business is a feature of Windows 10 and 11 that enables passwordless sign-in to Windows devices and Microsoft accounts using FIDO2 compatible authenticators, such as hardware keys, biometric sensors, or PINs. Windows Hello for Business replaces passwords with strong two-factor authentication that is tied to the device and the user.

Windows Hello for Business works as follows:

The user registers a FIDO2 authenticator with Windows Hello for Business, which creates a key pair and a certificate for the user. The private key is stored on the device or the authenticator, and the public key and the certificate are stored on the Microsoft account or the Azure Active Directory (AAD) account.

The user signs in to the Windows device or the Microsoft account using the FIDO2 authenticator and a gesture, such as a fingerprint scan, a facial recognition, or a PIN. The FIDO2 authenticator unlocks the private key and signs a challenge from the device or the account. The device or the account verifies the signature with the public key and the certificate and authenticates the user.

The user can also use the FIDO2 authenticator to sign in to other web applications that support WebAuthn, such as Office 365, Outlook, or OneDrive. The FIDO2 authenticator generates and stores a separate key pair for each web application, and the web application verifies the signature with the public key.

Conclusion 

Eliminating passwords as a security initiative is a smart and feasible way to enhance security and user experience. FIDO2 hardware keys and passkeys are strong forms of multifactor authentication that offer passwordless authentication using cryptographic keys or codes. Windows Hello for Business is a feature of Windows 10 and 11 that leverages FIDO2 to enable passwordless sign-in to Windows devices and Microsoft accounts. By adopting these solutions, users and organizations can benefit from a more secure and convenient authentication process.