Goodbye Passwords: Windows 10 Passport

In this Ask the Admin, I’ll take a look at Windows 10 Passport and how it works with Windows Hello to provide a secure, but convenient way to access Windows, third-party applications and services, without having to remember dozens of passwords.

Microsoft claims that Windows 10 will eliminate the use of passwords, and there are several new components that will help users achieve a password-free life, in turn preventing phishing and brute-force attacks. Much of this depends on third-party support, for which there’s little at the moment, beyond enterprise services that use Azure Active Directory (AAD). But it’s still early days for Windows 10, and with the Fast ID Online (FIDO) alliance on board, that means non-Microsoft services can easily adopt Windows 10 Passport.

How does Windows 10 Passport work?

Instead of sharing a password with applications and services, Passport authenticates users with a certificate or asymmetric public/private key pair that’s generated as part of a two-factor authentication enrolment process. Passport works with Identity Providers (IDPs), such as Azure Active Directory (AAD), or Windows Server 2016 Active Directory, although enterprises wishing to use certificate-based Passport won’t need to upgrade Active Directory if there’s already a Public Key Infrastructure (PKI) in place.

Create a work PIN. (Image Credit: Microsoft)
Create a work PIN. (Image Credit: Microsoft)

The public key that’s generated during sign-up is sent to the IDP, and associated with a user account. Private keys are unlocked using a gesture, which can be biometric authentication using Windows Hello, a PIN, or a remote device.

TPM-protected keys

When a user wants to authenticate, the IDP sends a challenge to the client, and waits for a response that must be signed by the user’s private key. The private key never leaves the device, and the keys are generated and protected by hardware if a Trusted Platform Module (TPM) 1.2 or 2.0 is present.

Keys can also be hardware-attested, meaning that when an attestation statement is present, we can be sure that the keys were generated using TPM, and as such apply different access policies based on that knowledge. Policies can be set to prevent Windows from falling back to software-based key generation if a TPM is not present, as it can’t provide the same level of protection as a TPM. If a user’s device is stolen, the TPM is locked if biometric (Windows Hello) or PIN-based authentication fails after a given number of attempts.

TPM-protected keys are stored in containers, and a default container is created when a user sets a PIN for their Microsoft account. Third-party IDPs can also use the default container, and keys are isolated from each other. A work PIN can also be set, or different gesture, to provide access to a dedicated enterprise container, allowing organizations to apply Mobile Device Management (MDM) policies, using Intune or a third-party MDM provider, to the enterprise container so that access keys to personal and enterprise data are separated.

Token binding

Once a user is authenticated by the IDP, a security token is created that is tied not only to the user, but also to the device as well. This process is known as token binding, and even if the token is stolen, it can’t be replayed from a different device.

Server Password-Less Mode

If users are able to authenticate to systems using a gesture, you can go one step further and delete passwords from Active Directory. This is especially useful for privileged accounts, such as domain administrators, and provides additional protection against phishing and brute-force attacks.

Passport2Go

When users are not assigned a dedicated workstation or notebook, Passport2Go will allow them to authenticate to any device by unlocking their phone, and using the camera to authenticate, which is also great for ensuring that passwords are not entered and cached on devices that you may not trust, i.e. think your friend’s PC.

Phones can also be used as a second factor when two-factor authentication is enabled on a PC, meaning that even if someone discovers your PIN, without your phone they will not be able to log in. Microsoft plans to support this not only on Windows Mobile 10, but also on Android and Apple iOS.