Microsoft is making a passwordless push with Azure Active Directory.
During a Microsoft Ignite 2021 session Wednesday titled, "Azure Active Directory: our identity vision and roadmap for strengthening Zero Trust defenses in the era of hybrid work," the software giant outlined its strategy to eliminate traditional username and passwords combinations in favor of more reliable and secure authentication options. Joy Chik, corporate vice president of Microsoft's identity division, introduced new ways to verify identity without the use of passwords. Those include a Temporary Access Pass, digital cards and verifiable credentials. The passwordless security within Microsoft Azure Active Directory, also known as Azure AD, is part of a bigger push for a zero-trust strategy, which Chik said is the right approach for maximum security.
Chik started the session with an overview of the last year when the COVID-19 pandemic forced organizations to prioritize secure access as more people moved to remote work. She also acknowledged the recent SolarWinds supply chain attacks, which Microsoft refers to as Solorigate. During the attacks, threat actors were able to steal existing credentials and create new credentials, which granted them extraordinary access throughout some victim environments.
"Two trends stand out. One -- people need more flexibility as we work, learn and collaborate in a world without perimeters," she said. "Two -- bad actors are getting more sophisticated as they add attack vectors and use them all at once like we just saw with Solorigate."
To adapt to the changes, Chik said a strategy must combine maximum flexibility with maximum security. The zero-trust model replaces standard username and password for perimeter network security and uses other means of authentication, such as device authentication and geolocation, while implementing the principle of least privilege.
"Zero trust makes no assumptions about who you are, or what you're doing. You can design zero-trust defenses around people and the way they work; whether they use phones or consoles," she said during the session.
Passwordless authentication can help organizations set up new hires remotely, without the help of IT, which Chik said is one of the "pandemic era's trickiest scenarios."
That's where the Temporary Access Pass in Azure AD comes in. Remote employees can register using a security key and fingerprint and sign in without passwords. It helps to build a strong authentication, according to Chik, including for multifactor authentication (MFA).
"To make MFA adoption easier, you can go passwordless. An organization is more secure if everyone has it, not just the admins," she said. "As of today, passwordless authentication is generally available for cloud and hybrid environments. This is a big milestone for us in the industry."
During the session, Inbar Kobrinsky, senior program manager at Microsoft, discussed how the Temporary Access Pass enables authentication and reduces the risk of exposed credentials. "Passwords are one of the most common attack vectors. It is easy to set up a passwordless account using Temporary Access Pass. This is a time limited password that allows the user to enter password authentication methods and recover access to their account without a password.
The Temporary Access Pass includes digital cards that "represent a new credential that is portable and verifiable," Chik said. The digital cards can be used, for example, within the Microsoft Authenticator app for MFA.
"It uses an open source blockchain solution that no single organization owns or controls, including Microsoft," she said during the session. "It looks like any other digital card in your wallet. Verifiable credentials will revolutionize the way we exchange digital information. We can verify employment information, citizenship and other personal information, in a matter of minutes."
Microsoft's Temporary Access Pass is currently in public preview.