Introduction

Passwords, the long-relied-upon information security measure that helps secure billions of user accounts daily, have become a little long in the tooth. When you consider advances in attack techniques and information security technology, the days of the password are numbered. This raises the question of what to do about user privacy on Windows 10 devices.

Over the recent years, new methods of authentication security have emerged to fill this security void and Microsoft Passport is one such method that deserves exploration. This article will detail how to use Microsoft Passport in Windows 10, including what Microsoft Passport is, a little about how it works, prerequisites and implementation of Microsoft Passport in your organization. 

What is Microsoft Passport?

Microsoft Passport is a user authentication measure new to Windows 10 and is the response to the user privacy issue mentioned above. Instead of relying on a traditional password for user account security, Microsoft Passport uses two factor authentication (2FA). 

The two factors of this authentication method are usually the Windows device itself and a PIN chosen by the user. This offers enhanced information security over the password and, in many ways, makes the concept of the traditional password obsolete. It can be used to log into:

  • Microsoft accounts
  • Azure Active Directory Accounts
  • Active Directory accounts
  • Non-Microsoft services that can support Fast ID Online (FIDO)

A little about how Microsoft Passport works

Microsoft Passport uses a certificate based on an asymmetrical key pair to keep user information secure. The Microsoft account creates a public key pair upon registration which identifies the user whenever they log in. 

The user will choose a gesture (PIN, biometric) which is linked to a certificate. The Windows device attests to this certificate when it has TPM 1.2 or 2.0. If the device does not have a supported TPM, software is required. The private key always remains on the device and acts as one half of the 2FA with the other half being the user gesture. 

Key-based vs. certificate-based

Microsoft Passport can use either hardware (key-based) or software (certificate-based) to perform identity authentication. Key-based is the most secure method of performing identity authentication where TPMs generate the key. 

In this scenario, an Endorsement Key (EK) certificate remains in the TPM. The EK creates root trust for all keys its TPM generates and is used to create an Attestation Identity Key (AIK). This is used as proof that the keys were generated by the same TPM for identifying providers through an attestation claim.

Certificate-based refers to software identify authentication, which is used where no TPM exists on the Windows device. Organizations that use Public Key Infrastructure (PKI) can use it together with certificate-based Microsoft Passport for certificate management. This is not as secure as key-based identity authentication, which should be used whenever the device has a TPM. 

Microsoft Passport prerequisites

The following are the prerequisites for Microsoft Passport, both key-based and certificate-based. 

Key-based authentication

Azure AD

  • Azure AD subscription

On-premises AD

  • Active Directory Federation Service (AD FS), originally released in Windows Server 2016 Technical Preview
  • On-site domain controllers for Windows Server 2016 Technical Preview
  • MS System Center 2012 R2 Configuration Manager SP2

Azure AD/AD hybrid

  • Azure AD subscription and AD Connect
  • On-site domain controllers for Windows Server 2016 Technical Preview
  • Config Manager SP2

Certificate-Based Authentication

Azure AD

  • Azure AD subscription
  • Non-Microsoft Mobile Device Management (MDM) solution or Intune
  • PKI infrastructure

On-premises AD

  • AD FS
  • Active Directory Domain Services (AD DS) Win Server 2016 TP scheme
  • PKI infrastructure
  • Non-Microsoft MDM, Intune or Config Manager SP2

AD/Azure AS Hybrid

  • PKI infrastructure
  • Azure AD subscription
  • Non-Microsoft MDM, Intune or Config Manager SP2

Implementation of Microsoft Passport in organizations

Proper implementation of Microsoft Passport requires proper policy configuration. Consider the following policy factors when implementing Microsoft Policy in your organization.

Hardware TPM required

This value is set to No by default. When this value is changed to Yes, Microsoft Passport can only be provisioned with a TPM. If you leave it as No, it can be provisioned with software when no TPM is available and will use the TPM if it is available.

Maximum PIN length

The maximum PIN length is set to 127 characters by default. Attackers will have a more difficult time ascertaining a longer PIN.

Minimum PIN length

By default, the minimum PIN length is set to 4 and cannot be made shorter. This value also cannot be higher than the maximum PIN length.

Uppercase letters

Covering both the device and user, this value is set to 1 by default, which means that uppercase letters are not allowed for PINs. If you change this value to 2, at least one uppercase letter will be required for PINs.

Lowercase letters

This value is set to 1 by default meaning that lowercase letters are not allowed for use. When this value is changed to 2, you will be required to use at least one. 

Special characters

This value is also set to 1 by default, meaning that it does not allow any special characters. Changing this value to 2 will require your PIN to have at least one special character. 

Digits

This value is set to 2 by default, which means you will have to use at least one digit in your PIN. If you make no changes to the policy values, you will need to use at least four digits as your PIN.

Biometrics

The default value of this policy is set to No. This means that unless you change the value to Yes, only a PIN will be allowed as your Microsoft Passport.

Conclusion

Let’s face it: the password is probably going to join the ranks of the floppy drive soon. Windows 10 has introduced Microsoft Passport as an alternative method of user authentication. With the power of 2FA, Microsoft Passport is a more secure authentication method than passwords and may be the way of the future.

 

Sources

  1. Microsoft Passport in Windows 10, TheWindowsClub
  2. Microsoft Passport, sourceDaddy
  3. Convenient two-factor authentication with Microsoft Passport and Windows Hello, Windows Blogs

Be Safe

Section Guide

Greg
Belding

View more articles from Greg

As you grow in your cybersecurity career, Infosec Skills is the platform to ensure your skills are scaled to outsmart the latest cyber threats.

Section Guide

Greg
Belding

View more articles from Greg