How to use Microsoft passport in Windows 10
Passwords, the long-relied-upon information security measure that helps secure billions of user accounts daily, have become a little long in the tooth. When you consider advances in attack techniques and information security technology, the days of the password are numbered. This raises the question of what to do about user privacy on Windows 10 devices.
Over the recent years, new methods of authentication security have emerged to fill this security void and Microsoft Passport is one such method that deserves exploration. This article will detail how to use Microsoft Passport in Windows 10, including what Microsoft Passport is, a little about how it works, prerequisites and implementation of Microsoft Passport in your organization.
Learn Windows 10 Host Security
What is Microsoft passport?
Microsoft Passport is a user authentication measure new to Windows 10 and is the response to the user privacy issue mentioned above. Instead of relying on a traditional password for user account security, Microsoft Passport uses two factor authentication (2FA).
The two factors of this authentication method are usually the Windows device itself and a PIN chosen by the user. This offers enhanced information security over the password and, in many ways, makes the concept of the traditional password obsolete. It can be used to log into:
- Microsoft accounts
- Azure Active Directory Accounts
- Active Directory accounts
- Non-Microsoft services that can support Fast ID Online (FIDO)
A little about how Microsoft passport works
Microsoft Passport uses a certificate based on an asymmetrical key pair to keep user information secure. The Microsoft account creates a public key pair upon registration which identifies the user whenever they log in.
The user will choose a gesture (PIN, biometric) which is linked to a certificate. The Windows device attests to this certificate when it has TPM 1.2 or 2.0. If the device does not have a supported TPM, software is required. The private key always remains on the device and acts as one half of the 2FA with the other half being the user gesture.
Key-based vs. certificate-based
Microsoft Passport can use either hardware (key-based) or software (certificate-based) to perform identity authentication. Key-based is the most secure method of performing identity authentication where TPMs generate the key.
In this scenario, an Endorsement Key (EK) certificate remains in the TPM. The EK creates root trust for all keys its TPM generates and is used to create an Attestation Identity Key (AIK). This is used as proof that the keys were generated by the same TPM for identifying providers through an attestation claim.
Certificate-based refers to software identify authentication, which is used where no TPM exists on the Windows device. Organizations that use Public Key Infrastructure (PKI) can use it together with certificate-based Microsoft Passport for certificate management. This is not as secure as key-based identity authentication, which should be used whenever the device has a TPM.
Microsoft passport prerequisites
The following are the prerequisites for Microsoft Passport, both key-based and certificate-based.
Key-based authentication
Azure AD
- Azure AD subscription
On-premises AD
- Active Directory Federation Service (AD FS), originally released in Windows Server 2016 Technical Preview
- On-site domain controllers for Windows Server 2016 Technical Preview
- MS System Center 2012 R2 Configuration Manager SP2
Azure AD/AD hybrid
- Azure AD subscription and AD Connect
- On-site domain controllers for Windows Server 2016 Technical Preview
- Config Manager SP2
Certificate-Based Authentication
Azure AD
- Azure AD subscription
- Non-Microsoft Mobile Device Management (MDM) solution or Intune
- PKI infrastructure
On-premises AD
- AD FS
- Active Directory Domain Services (AD DS) Win Server 2016 TP scheme
- PKI infrastructure
- Non-Microsoft MDM, Intune or Config Manager SP2
AD/Azure AS Hybrid
- PKI infrastructure
- Azure AD subscription
- Non-Microsoft MDM, Intune or Config Manager SP2
Implementation of Microsoft Passport in organizations
Proper implementation of Microsoft Passport requires proper policy configuration. Consider the following policy factors when implementing Microsoft Policy in your organization.
Hardware TPM required
This value is set to No by default. When this value is changed to Yes, Microsoft Passport can only be provisioned with a TPM. If you leave it as No, it can be provisioned with software when no TPM is available and will use the TPM if it is available.
Maximum PIN length
The maximum PIN length is set to 127 characters by default. Attackers will have a more difficult time ascertaining a longer PIN.
Minimum PIN length
By default, the minimum PIN length is set to 4 and cannot be made shorter. This value also cannot be higher than the maximum PIN length.
Uppercase letters
Covering both the device and user, this value is set to 1 by default, which means that uppercase letters are not allowed for PINs. If you change this value to 2, at least one uppercase letter will be required for PINs.
Lowercase letters
This value is set to 1 by default meaning that lowercase letters are not allowed for use. When this value is changed to 2, you will be required to use at least one.
Special characters
This value is also set to 1 by default, meaning that it does not allow any special characters. Changing this value to 2 will require your PIN to have at least one special character.
Digits
This value is set to 2 by default, which means you will have to use at least one digit in your PIN. If you make no changes to the policy values, you will need to use at least four digits as your PIN.
Biometrics
The default value of this policy is set to No. This means that unless you change the value to Yes, only a PIN will be allowed as your Microsoft Passport.
Conclusion
Let’s face it: the password is probably going to join the ranks of the floppy drive soon. Windows 10 has introduced Microsoft Passport as an alternative method of user authentication. With the power of 2FA, Microsoft Passport is a more secure authentication method than passwords and may be the way of the future.
Sources
- Microsoft Passport in Windows 10, TheWindowsClub
- Microsoft Passport, sourceDaddy
- Convenient two-factor authentication with Microsoft Passport and Windows Hello, Windows Blogs
Learn Windows 10 Host Security
See how your organization can benefit by protecting Windows computers from malware, wireless hacking, open firewall ports and more. What you'll learn:- Authentication mechanisms
- Hardening techniques
- Backup and recovery
- Data security
- And more
In this Series
- How to use Microsoft passport in Windows 10
- Comparing Linux+ and RHCSA/RHCE operating system security certifications
- Android security: Everything you need to know [Updated 2021]
- Application sideloading in Windows 10
- Web Browser Security in Windows 10
- How to use Local Group Policy to secure Windows 10
- How to use Microsoft DirectAccess
- How to protect a Windows 10 host against malware
- CA Installation and Use in Windows 10
- Certificates overview and use in Windows 10
- How to Use Windows 10 Action Center and Security & Maintenance App for Hardening
- Data Security in Windows 10: NTFS Permissions (Standard)
- 6 windows event log IDs to monitor now
- How to audit Windows 10 security logs
- How to audit Windows 10 system logs
- App isolation in Windows 10
- Windows Supported wireless encryption types
- How to use Assigned Access in Windows 10
- How to configure password policies in Windows 10
- Data execution prevention (DEP) in Windows 10
- How to use Windows 10 quick recovery options
- How to use Disk Quotas in Windows 10
- Data Security in Windows 10
- How to use AppLocker in Windows 10
- How to configure internet options for local group policy
- How to configure Windows 10 firewall
- Windows 10 security features
- How To Use Microsoft Edge Security Features
- How to use BitLocker in Windows 10 (with or without TPM)
- Encrypted file system (EFS) in windows 10
- Share permissions in Windows 10
- How to audit windows 10 application logs
- Understanding Windows Services
- Windows 10 Auditing Features
- How to use Protected Folders in Windows 10
- How to configure VPN in Windows 10
- How to configure UAC in Windows 10
- Domain vs workgroup accounts in Windows 10
- Bluetooth security in Windows 10
- Single Sign-On in Windows 10
- Connecting to secure wireless networks in Windows 10
- MAC filtering in Windows 10
- Admin vs non-admin accounts in Windows 10
- Types of user accounts in Windows 10 (local, domain, Microsoft)
- How to use Windows Recovery Environment
- How to use Windows Backup and Restore Utility
- Driver Security in Windows 10
- How to use Credential Manager in Windows 10
- How to configure Picture Passwords and PINs in Windows 10
- How to use credential guard in Windows 10
- Application Management in Windows 10
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Operating system security
Comparing Linux+ and RHCSA/RHCE operating system security certifications
Operating system security
Android security: Everything you need to know [Updated 2021]
Operating system security
Operating system security