NIST's guidance for a Zero Trust Architecture

Active Directory Fundamentals

Microsoft Passport

Using a password is a common approach to protect and secure a resource. However, the use and maintenance of a password have its shortcomings. One challenge is the difficulty in remembering passwords, more so, if the complexity requirements are in place. Another possibility is the repository containing the passwords being breached. Microsoft has an alternative to passwords called Microsoft Passport which was introduced along with Windows Hello in Windows 10. Microsoft Passport has been designed using Fast IDentity Online Alliance (FIDO) standards to easily integrate with other platforms and services. This authentication standard procedure provides security standards and methods that go beyond passwords in creating secure identity management.

It is essential to understand Windows Hello since it goes hand in hand with Passport to provide authentication and authorization to the users in the network. Windows Hello uses biometric information—fingerprint, face, and irises of a user for authentication. This biometric information is then saved to the user’s device. If many users use a common device, then each user has his or her biometric data saved in the device.

Microsoft Passport allows the user to access applications and website content without the need for a password. It is built on a technology called asymmetric cryptography. This is the technology that powers devices like smart cards. Microsoft Passport will work with a Microsoft account, Azure Active Directory account, on-premises Active Directory, and other Windows applications. The user’s identity is stored in the device he/she uses thereby it is secure. Hence a hacker cannot access a user’s account from any location if the user’s password is compromised. Since Windows Hello is integrated with Microsoft Passport, this calls for the hacker to access the user’s biometrics as well to infringe upon a user’s profile. Obtaining that kind of data is a huge challenge.

Once the user is authenticated using biometrics, Microsoft passport is unlocked, which then cryptographically authenticates the user to the applications and websites. The device has a Trusted Platform Module (TPM) which generates and protects the private key. Once the keys are generated, Microsoft Passport allows the user to sign in to third-party apps or services without interruptions.

The following steps explain how Microsoft Passport works:

  • The client attempts to connect to a web application using a browser. 
  • The browser uses the Passport API to request access to the identity provider (IDP) key for AD. The IDP sends an authentication challenge to the client device. 
  • The private key is used to sign the challenge and send it back as a response with the original challenge along with the ID of the key that was used to sign the challenge. 
  • The AD then fetches the corresponding public key for the key ID in the response and checks if the signed challenge matches the original unsigned challenge. 
  • Once it is verified, the AD returns a session key which is encrypted with the device’s public key and an authentication token which is signed using the session key. 
  • The device now uses its own private key to decrypt the session key and then uses that key to decrypt the authentication token. 
  • This authentication token is then used to gain access to the web application.

Implementation of the Microsoft Passport makes the computing experience easier and more secure at the same time. Between Windows Hello and Microsoft Passport, passwords which can be the weak interconnection in our online security becomes a thing of the past.

Related posts
Active Directory Fundamentals

The OSI model: What it is and how you can use it

Active Directory Fundamentals

Managing shared resources

Active Directory Fundamentals

Integrating AD with LDAP

Active Directory Fundamentals

Migrating AD from Windows Server 2003 to Windows Server 2016