NIST's guidance for a Zero Trust Architecture

Active Directory Fundamentals

Microsoft Passport

Introduction

Using passwords is a common approach to protecting and securing a resource from unauthorized access. However, the use and maintenance of passwords have their shortcomings. One challenge is the difficulty of remembering passwords, more so, if complex requirements are in place. Another possibility is the repository containing the passwords is being breached. Microsoft has an alternative to passwords called Microsoft Passport which was introduced along with Windows Hello in Windows 10. Microsoft Passport has been designed using Fast IDentity Online Alliance (FIDO), which provides security standards and methods that go beyond passwords for implementing secure identity management and easily integrating with other platforms and services.

What is Windows Hello? 

It is essential to understand Windows Hello since it goes hand-in-hand with Passport to provide authentication and authorization to the users in a network. Windows Hello uses biometric information—fingerprint, face, and irises—of a user for authentication. This biometric information is then saved to the user’s device. If many users use a common device, then each user has their biometric data saved on the device.

What is Microsoft Passport? 

Microsoft Passport allows the user to access applications and website content without the need for a password. It is built on asymmetric cryptography, This technology powers devices like smart cards. Microsoft Passport will work with a Microsoft account, Azure Active Directory account, on-premises Active Directory, and other Windows applications. The user’s identity is stored in the device, making it secure by preventing a hacker from accessing a user’s account from any location if the user’s password is compromised. Once the user is authenticated using biometrics, Microsoft Passport is unlocked, which then cryptographically authenticates the user to the applications and websites. Then, Trusted Platform Module (TPM) generates and protects the private key. After the keys are generated, Microsoft Passport allows the user to sign into apps or services without interruptions.

The following steps explain how Microsoft Passport works:

  • The client attempts to connect to a web application using a browser.
  • The browser uses the Passport API to request access to the identity provider (IdP) key for AD. The IdP sends an authentication challenge to the client device.
  • The private key is used to sign the challenge and send it back as a response with the original challenge along with the ID of the key that was used to sign the challenge.
  • The AD then fetches the corresponding public key for the key ID in the response and checks if the signed challenge matches the original unsigned challenge.
  • Once it is verified, the AD returns a session key which is encrypted with the device’s public key and an authentication token that is signed using the session key.
  • The device now uses its own private key to decrypt the session key and then uses that key to decrypt the authentication token.
  • This authentication token is then used to gain access to the web application.

Implementation of the Microsoft Passport makes the computing experience easier and more secure at the same time.  Passwords, which may be a weak link in our online security, are being phased out and replaced by Windows Hello and Microsoft Passport.

Passport in an organization: 

When you implement Passport in an organization, you must prepare the users so that they can fully utilize its security capabilities. Before deploying Passport, you must consider various policy settings, like maximum and minimum PIN length, a number of uppercase, lowercase letters, special characters & digits, Trusted Platform Module (TPM), biometrics, and so on. The steps for installing Microsoft  Passport on an enterprise user’s device are as follows:

Configuring on organization-owned devices:

  • During the initial setup of a new Windows device, on the “Who Owns This PC” screen, select “This device belongs to my organization.” to connect the device to the organization’s domain.
  • On the next screen, choose how you will connect the device to the organization based on the network configuration of your organization. 
  • Next, you have to sign in and confirm your identification, through phone call, authentication app, text message, or other methods.
  • Once the verification is completed successfully, the PIN is generated. Passport will display the complexity criteria, such as maximum length, on the “Create a work PIN” screen.
  • After configuring the Passport, you will be automatically logged in. You can use the PIN to unlock the device.

Configuring on Personal devices:

  • To access workplace resources from personal devices, go to Settings → Accounts → Work or school and add work account.
  • Then, sign in with your work credentials.
  • Select a method for obtaining the verification code.
  • Following verification, a new PIN is generated.
  • You can also remove the work account from your personal device by going to Settings → Accounts →Work or School. Select the registered work account and then click Unjoin.

Note: Passport will allow you to access any token-based resource on the configured personal device without having to enter your credentials.

Benefits of Microsoft Passport: 

Passport’s biggest advantage is found in an organization context, where an employee can access business resources conveniently, after providing the necessary credentials for Passport setup.

  • Passport helps in the protection of user identities and credentials.
  • Phishing and brute-force attacks are rendered ineffective since passwords are not utilized.
  • Since Passport credentials are asymmetric key pairs, server breaches are also avoided.
  • Passport facilitates the prevention of replay attacks when keys are created in isolated Trusted Platform Module (TPM) environments.
  • Passport for personal devices helps alleviate user concerns about the enterprise gaining access to personal credentials by keeping work and personal credentials in different containers.

Windows has developed a highly effective solution to user security. The majority of this is due to the use of the Microsoft Passport. The majority of this is due to Microsoft Passport, which uses two-factor authentication and a PIN or biometric instead of passwords. The Passport may be used to log in to a Microsoft Account, an Azure Active Directory Account, or even non-Microsoft services that use Fast ID Online (FIDO). Therefore, to optimize the benefits and security of Windows, consider utilizing Passport as a replacement for passwords.

Related posts
Active Directory Fundamentals

How to seize FSMO roles

Active Directory Fundamentals

How to transfer FSMO roles

Active Directory Fundamentals

Securing administrator accounts in Active Directory

Active Directory Fundamentals

How to install the PowerShell Active Directory module

×

There are over 8,500 people who are getting towards perfection in Active Directory, IT Management & Cyber security through our insights from IAMRoundup.

Wanna be a part of our bimonthly curation of IAM knowledge?

  • -Select-
  • By clicking 'Become an insider', you agree to processing of personal data according to the Privacy Policy.