Why would I get shot of passwords?
User authentication is due an upgrade. Hopefully you are familiar with the multitude of reasons why passwords are a poor way to prove identity. And the compelling arguments for moving away from their use. This includes, but is not limited to, the prevalence of password sharing amongst MPs, highlighted recently by Nadine Dorries. If we weren’t so reliant on passwords, such embarrassing lapses in basic security would not be able to occur.
I touch on the reasoning in previous blogs, which are useful reading if you haven’t already read them.
- Intrusion detection with Microsoft Azure & Office 365
- Security breach solutions: Microsoft Office 365 & Azure
Along with these two very well written breach analysis pieces:
- Google Online Security Blog: New research: Understanding the root cause of account takeover
- How Azure Security Center unveils suspicious PowerShell attack
Gaining an understanding of credential stuffing is very useful when considering modern security threats, especially password security. These two blogs describe the issue very well
- Password reuse, credential stuffing and another billion records in Have I been pwned
- Credential Stuffing: How breached credentials are put to bad use.
Apple has been making great noise lately for the Face ID sign-on capabilities of the iPhone X. Something other vendors have had available for many years. The average consumer is now perfectly happy to unlock a phone or other computing device with a finger print, face scan or iris scan. In short… Biometrics.
Thanks to consumer convenience, the decades long argument against use of biometrics has been overcome! And this is great news for the enterprise.
This change in user mindset means that we can now, finally, look to replace the password as the primary user authentication method. And in a Microsoft powered enterprise, this takes the form of Windows Hello.
Microsoft has not been sleeping through this revolution, integrating native biometric user authentication capabilities into Windows. The convergence of these capabilities has resulted in a platform called Windows Hello, and for our interest here, Hello for Business. Windows Hello provides device-local biometric authentication, which doesn’t leave the device. Instead, an initial enrolment process uses a two-factor user authentication method to set up asymmetric key based authentication, or certificate authentication, for that user, on that device.
A graphical representation of the user authentication process is provided below, borrowed from a Microsoft Docs article.
This change removes the risks related to passing, and entering, user credentials on devices and to services. As a result, the security of the user authentication process is significantly enhanced, as is the organisations ability to trust in the accountability records of users accessing resources.
User authentication options
The first type of user authentication that Hello supports, and requires to be set up for a backup access method, is a PIN.
Unlike many platforms, the PIN length and requirements are configurable, Microsoft published a blog article on how the PIN must meet anti-entropy requirements.
This prevents the use of PINs which have pattern-based entry, and are therefore very commonly used, such as every second number (1-3-5-7). It is not uncommon, or out of the question, to ask users to provide a 6, or 8 digit PIN, rather than the default of 4. This allows for much greater flexibility and security.
The PIN is encrypted using built in hardware within the device, and all user authentication relating to Hello exists within the device. Nothing crosses the wire, or the air.
More than a PIN
The wider, and more interesting, options are the biometric options, provided by Hello certified devices, including:
- Finger print scanners
- Facial recognition cameras
- Iris scanners
- Fitness tracker
- Future presence/identity factors
Fingerprint scanners are possibly the most familiar of the biometric sign in methods used today, as seen in most modern smart phones. The premise is simple. Instead of using your password, you press, or run your finger, over the scanner, and that provides your user authentication to the system.
This is an extremely intuitive process, and there are many, many Hello compatible finger print scanners available, including the majority of those fitted to Laptops over the last 5 or so years. Add-on finger print scanners for desktop systems can be purchased either built into a keyboard, or as a standalone USB device, from as little as £20 such as:
Capacitive fingerprint scanners all work in a similar manner, as described in this howstuffworks article. The output of the fingerprint scan is stored as an algorithm, rather than a ‘picture’ of your fingerprint, so that future scans can be compared to the algorithm to look for a pattern match.
Windows Hello fingerprint scanners have a requirement to have a False Acceptance Rate (false positive allowing unauthorised access) of less than 0.002% for small and swipe scanners, or 1 false acceptance per 50,000 scans. They must also have a false rejection rate of less than 10%. This ensures that users shouldn’t get frustrated or hindered by the technology.
Facial recognition cameras
Facial recognition cameras have taken longer to become a normal mainstream feature included on systems, largely due to prohibitive cost.
Many mid-range and above systems are now equipped with 3D face scanning cameras, typically using the Intel RealSense system licensed from Intel. However, other manufacturers such as Realtek, have now entered the market.
Some PC monitors now include such cameras, and there are an increasing number of standalone cameras available for desktop use. See some examples below:
The false positive, and false negative requirements for face recognition are stricter than with fingerprint (1 in 100,000). This is critical for a method for which the success and failure rate is regularly argued.
The biggest benefit of using facial recognition is the above-mentioned ability to simply be present at your computer. You just look at it to authenticate. This is so convenient and re-authentication is performed via Hello face recognition whenever any service requests authentication or re-authentication, happening so fluidly as to be imperceptible to the user.
The iris scanner is the least common method. The most prevalent system to have employed them is, the now retired, Microsoft Lumia 950 range of smart phones. Implementation is simpler than facial recognition, needing few cameras in the device. However the effective range is much shorter, needing the camera to be much closer to the user. The proximity requirement has currently meant that iris scanners are rare in consumer devices, being more practical in handheld devices than computers and laptops.
Like facial recognition, this method uses a special camera to view your eye, and use the veins and unique characteristics of your iris much like a thumbprint, to uniquely identify you. Additionally, like facial recognition, this can facilitate the “look to sign in” ability.
However, as noted by many users of the 950 series, iris scanners can currently be a bit more temperamental in identifying the user. They can be subject to more interference from the infra-red spectrum (like the sun) and can be slower than current facial recognition and finger print scanners to authenticate.
That said, it is believed that iris recognition should also be the most secure of the current methods to authenticate a user. Iris scanners would be supported with Windows Hello as long as they are able to meet or exceed the detection and authentication rates of face scanners.
What about convenience vs security?
The biggest blocker to implementing alternative authentication, and especially Multi-Factor Authentication, is the addition of any intrusive, or less intuitive, working practices to the users’ standard experience.
People will always head towards the path of least resistance, and historically, implementing additional security layers on top of standard logon authentication results in user and managerial push back, poor adoption, and the proliferation of “shadow IT” (unauthorised use of unmanaged and unregulated systems and services rather than those that fall within the control and oversight of the organisation).
The result, is an overall reduction in the security of the organisation and the data it holds and handles.
Windows Hello and these new generation of authentication services reduce the users’ effort to log on, access and authenticate to work resources, whilst also increasing security.
Take authentication logon and authentication prompts for example…
Currently, at the very least, a user would have to:
- sit down at their computer
- dismiss the lock screen
- enter a password.
This is a standard user behaviour to which we are accustomed, thanks to years of experience and use. With Windows Hello, this can be distilled down to one bullet point:
- Sit down at your computer.
If a user needs their user authentication refreshed for any reason, such as a non-SSO application which uses AD credentials, the user would not need to re-enter credentials. They just have to be present at their machine to pass the Hello authentication.
Windows 10 dynamic lock
A common sore point from a security stand point, and a classic oversight in terms of physical system security, is the locking of computers when not in use. The average end user, and even IT and admin users, will forget from time to time to lock their computer when they pop to get a coffee or go to the loo. These are common day to day scenarios which carry the risk of the anticipated time away from the system can be extended significantly without warning.
Many solutions to this have been attempted over the years. For example smart card removal lock (or dragging your computer off the desk as you walk away attached to it) and low screensaver timeouts with password unlock (very frustrating when trying to read a large document).
Now a new capability has been implemented, available with Windows 10 Creators Update and onwards .. “Dynamic Lock”.
When a user walks away from their computer, they may forget to lock their machine, or to remove their smart card, but they generally don’t leave their mobile behind. Currently Dynamic Lock uses the range distance to the mobile devices Bluetooth to identify when the device has moved away from the computer. This then triggers the computer to lock.
And this is not limited to use with a mobile phone. How many users nowadays have a fitness tracker of one kind or another? These typically sync using Bluetooth and support pairing with more than one device. Pair the fitness tracker that adorns your wrist with your computer, and the same process applies! Simple.
The increasing prevalence of 3D cameras in laptops and screens, often with eye-tracking capabilities (such as tobii eye tracking), means another feature potentially coming at some point in the future. That is the literal ability for the computer to lock and unlock as you stop looking at it, and then look back at it. Once the system sees that you are no longer seated in front of the machine, it will lock.
How much more do we need to deploy to use this?
Some of the Hello capabilities require compatible hardware to be physically present in the devices. However, for many years most laptops have come equipped with, at the very least, finger print scanner capabilities. Increasingly though, you will find that newly purchased systems are equipped with Hello compatible 3D cameras.
Beyond ensuring your device estate is equipped with the correct hardware at the next refresh interval, the infrastructure required to deploy this can be minimal. For a ‘cloud only’ deployment all you need is:
- Windows 10 (1511 or later) deployed
- Microsoft Azure account
- Azure Active Directory
- Azure multifactor authentication
Whilst additional functionality can be provided, with enhanced experiences through Intune and Azure AD Premium subscriptions on top of the above, it is the bare minimum required.
Most organisations will be looking at deploying a hybrid or on-premises implementation of Hello for Business, which does require a bit more in terms of resources and planning. It’s still not too drastic though. Items worth noting in relation to configuration are largely in the ‘run the latest’ or at least, be fairly current, category, such as:
- Windows Server 2016 Schema
- Windows Server 2008 R2 Forest (Domain) functional level
- Windows Server 2016 Domain Controllers (or 2008 R2 with Certificate trust)
- Windows Server 2012 or later Certification Authority.
As you can see, this requires configuration elements such as a Certification Authority. The full requirements are in the table below, as found on the Windows Hello for Business Prerequisites page:
The choice here depends primarily on which of the variables in the above table best meet your current and desired platform configuration? Importantly:
- Management method (Group Policy or Intune)
- Trust method (Certificate or Key).
Whilst this is a fairly large list of requirements, most organisations with Azure or Office 365 will have a lot of the other prerequisites already in place. Any organisation looking to operate BYOD, or modern mobile-first working practices, is likely to have almost all of this in place already.
The spread of fitness trackers, biometric equipped phones, laptops, monitors, and the array of personal Bluetooth equipped devices will only increase the ability for user authentication practices to make use of features such as Hello authentication and Dynamic Lock.
It is entirely possible to remove the need for users to manage and use passwords for their main corporate identities. Wider adoption, integration, and federation of identity will further reduce the risk posed by passwords.
The systems and functionality available to improve user and system security, whilst also improving the user experience and convenience, are growing constantly and accelerating.
Passwords are the biggest risk to security currently faced by organisations and users. Windows Hello for Business is ready for use, and if you haven’t started evaluating alternatives to password and methods to mitigate the risk of passwords in your organisation, now is the time!
How Can Silversands help?
Silversands specialises in Cloud & Hybrid Infrastructure and Microsoft 365. Getting the most out of your IT investment often requires some experts Professional Services and Support. To start a conversation about your needs please complete the form below, or come and talk to us face-to-face at our regular workshops . Also we’re very active bloggers and commentators around Microsoft Office 365, SharePoint and Azure, so please do follow us on Twitter and LinkedIn.