Share 20-Jan-2020
Passwordless Authentication on Azure AD with ThinC-AUTH biometric security key
Problems with password
Passwords are hard to remember. Having a list of passwords for all your online accounts and changing them as per the policies at regular intervals is a nightmare. Some users store the credentials in browser password manager or third-party password manager applications almost in plaintext format or with weak encryption techniques.
Storing the passwords is not at all secure and its risk to maintain for any user or organization. A breach, which exposes passwords will potentially lead to attacks on the services. Passwords require periodic maintenance/change according to organizations’ IT department reset policies.
Currently, the organizations are mostly using passwords with two factor authentication (2FA) by using e-mail, SMS to provide better security to the accounts. But these are also vulnerable to attacks.
To address above challenges, organizations are highly recommended to move their authentication procedures towards FIDO2 based passwordless or multi-factor authentication solution.
Benefits of passwordless authentication
Improved User Experience
Passwordless methods offer users a seamless process by eliminating the need for passwords. User no longer needs to memorize any credentials whatsoever. Passwordless authentication methods take only a few basic steps which provides great user experience & convenience.
Stronger Security
User-managed passwords are vulnerable to various attacks viz phishing, credential stuffing, brute force attacks, corporate account takeover (CATO), and more. When there is no password to hack in the first place, those vulnerabilities will automatically decrease. Biometric based authentication provides higher levels of identity assurance and protects online accounts from identity theft and account takeover.
Cost Effective
Passwords require periodic change management; and eliminating passwords will not just save time and productivity, but also expenses.
Benefits of biometric security key
A FIDO or FIDO2 hard authentication token without biometrics merely authenticates the holder of the hard token at the time of authentication; it does not necessarily authenticate the original token owner. If a token is lost or misappropriated, it can be used to easily impersonate. To mitigate this risk, FIDO2 tokens without biometrics opt for an additional PIN option. When the token is misappropriated, access could be protected since the PIN is not known the mala fide holder. There are two key risks with the PIN option
- PINs can be hacked by using well known methods like keylogging or screen reading. Since the user enters PIN on the host PC, it is not secure and can be misappropriate. In our case the Pin is used only in the rare case that the Biometrics don’t work – rare because we encourage a user to enroll multiple fingers.
- A denial of access attack can happen if the PIN is reset by a hacker without the knowledge of the token owner. In this the token owner may still own the key, but cannot access.
Further, it should be noted that the token owner sets the PIN (not the enterprise), and hence attribution is badly missing. Let us see why attribution is important for enterprise use cases. When an enterprise issues a hard token (without biometric) to its employee, the employee ends up setting the PIN – the PIN is stored on the device and not known to the enterprise. Now the employee could act maliciously with the token. When the enterprise would like to attribute the malicious intent to the employee, the employee could simply claim that the hard token has been used by someone else or lost and the PIN has been hacked or reset. The enterprise can’t complete the attribution in this case.
FIDO2 Standard
The FIDO Alliance is an open industry association working to provide the passwordless specifications with open standards that are more secure, scalable and interoperable set of mechanisms. FIDO2 Specifications has two components: W3C’s Web Authentication (WebAuthn) specification and FIDO Alliance’s Client-to-Authenticator Protocol (CTAP). WebAuthn shall be implemented on the online service through web API, which supported by most of the latest version of web browsers, and CTAP shall be implemented on the authenticator (Mobile handset or hardware security key).
How does passwordless authentication work?
While performing security key registration for the user account, a cryptographic key pair called public key and private key would be generated. The private key shall be residing within the device (security key) and never leaves the device. The public key shall be provided to the web application/online system, where user account is maintained. Along with the keys, the user information with relying party (website URL) shall be stored on the security key.
While login, the ‘security key’ sends the information to browser with list of account(s) registered for the relying party (website), the data being encrypted with the private key on the device and sent to the server via browser. Server decrypts the content with user public key and provides authentication.
Microsoft’s Passwordless Solutions
Microsoft’s passwordless solution will enable the strong authentication through FIDO2 security keys. The FIDO2 security key will work on Windows 10 Pro operating system platform, and online Microsoft accounts through the Microsoft Edge browser. User can use the security key to sign into their Azure AD joined windows 10 systems and get SSO to their cloud and on-premises resources.
ThinC-AUTH passwordless authentication
Highly secure passwordless authentication is always achieved through the FIDO2 certified hardware security keys. Ensurity’s ThinC-AUTH is FIDO2 certified biometric security key. ThinC-AUTH has been approved by Microsoft and is listed as one of the few recommended FIDO2 security keys.
Register Ensurity ThinC-AUTH security key on Microsoft Azure AD
Pre-requisite
- Ensurity ThinC-AUTH is assigned to user and configured with user biometrics
- Azure AD user with enabled MFA (Multi-Factor Authentication)
Register
To perform passwordless authentication on Microsoft Azure, follow the steps listed below:
- Login to Azure portal
- Go to user Azure account security settings
- Click on “Add method”
- Choose “Security Key” option from the dropdown and click “Add”
- Choose security key type as ‘USB’ for Ensurity ThinC-AUTH
- Connect the ‘ThinC-AUTH security key’ and click on “Next”
- When prompted with “Touch your security key” message and LEDs blink on the ThinC-AUTH, touch the security key biometric sensor with enrolled fingerprint
- The newly added security key shall be displayed in the list of security methods
Passwordless authentication on Microsoft Azure AD
Pre-requisite
- Ensurity ThinC-AUTH is assigned to user and configured with user biometrics
- ThinC-AUTH registered as security key for the user account
Passwordless Authentication
To perform passwordless authentication on Microsoft Azure AD, follow the steps listed below:
-
Open Edge browser and access Azure portal website
- Enter username
- Sign in with a security key
- Microsoft Azure login page displayed with following options
- Click “Sign in with a security key”
- When prompted with “Touch your security key” message and LEDs blink on the ThinC-AUTH, touch the security key biometric sensor with enrolled fingerprint
-
User logged in with registered account
- When multiple user accounts are registered with same security key, a list of accounts will pop-up and user shall choose an account to log in
Conclusion
Passwords are vulnerable to attacks and painful to remember. Using Ensurity ThinC-AUTH biometric security key, any FIDO2 supported server shall be able to provide passwordless authentication to users. Microsoft Azure AD is one of the initial FIDO2 supported service, where seamless and secure passwordless authentication experience is extended to users.
Join with us to provide secure and seamless user experience with Ensurity ThinC-AUTH security key for a complete passwordless authentication.
Archives
April2020
March2020
