Passwordless Authentication

Caveats:

  • Cannot disable passwords entirely. There is no method to fully disable passwords, but may be able to enforce very long randomly generated passwords for users on a rotation to be used when absolutely necessary. Some legacy authentication may require passwords.
  • To use Duo as Passwordless provider, would have to federate M365 to Duo as the Identity Provider (IdP) which is not an ideal solution.  Would likely need to use Microsoft Authenticator for mobile MFA or NFC enabled security keys
  • Does not work for RDP, server sign in
  • Devices must be Entra ID or Hybrid joined
  • If Security Key is lost or damaged, need a backup plan to allow authentication
  • Will require us to more strictly enforce Intune enrollment and device restrictions
  • Thin Clients will have to be changed to Windows and Igel OS removed -- Igel OS does not support FIDO2 and SSO for Azure Virtual Desktop
    • Eliminates ongoing cost of Igel OS licensing
    • Eliminates Fabulatech webcam redirection requirement and licensing
    • Microsoft 365 Business Premium grants users licensing for Windows 11 Pro, no need to purchase Windows licenses for these devices as they will be Intune managed and Entra ID joined. 

Components:

  • A Kerberos server object must exist in both Entra ID and on-prem AD in order to allow sign-in to Windows 10/11 devices: https://learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-passwordless-security-key-on-premises
  • Thin clients will be Intune joined and a variety of Intune policies and profiles have been created to facilitate securing and configuring these devices centrally:
    1. CIM Thin Client Profile (Configuration)
      • Enables FIDO2 security key option for Windows sign in
    2. CIM Thin Client Policy (Compliance Policy)
      • Bitlocker required
      • Require encryption of data storage on device
    3. CIM Thin Client Bitlocker (Endpoint Security | Disk Encryption)
      • Sets encryption method to XTS-AES-256
      • Sets encryption type to Full Encryption
    4. CIM Thin Client Baseline (Windows 10 Security Baseline)
      • There are a lot of settings with this, but its all of the security recommendations for Windows 10+ provided by Microsoft.
    5. CIM Thin Client Account Protection (Endpoint Security | Account Protection)
      • Disable Windows Hello for Business
      • Enable security keys for sign-in
    6. CIM Thin Client LAPS (Endpoint Security | Account Protection)
      • Backup password to Azure AD
      • 30 day rotation
      • Max complexity
      • 32 char length
    7. CIM Thin Client Local Users (Endpoint Security | Account Protection)
      • Replace local admins with CIM IT admin accounts
  • Azure Virtual Desktop SSO
    1. Configure host pools to use Single Sign-On. Once a user authenticates to their thin client using security key MFA, SSO will automatically authenticate their session to the global feed, workspaces, and host pools allowing users to seamlessly log into their AVD sessions.
  • Yubikey Bio
    1. Users must configure their security keys, there is no method for admins to provision these on behalf of users.
    2. Needs a Yubikey application to add biometrics to the device
    3. A thorough and clear guide will need to be created to allow users to enroll their security keys
  • Yubikey NFC (Near Field Communication)
    1. May require combination of security key + duo for second factor
    2. Replaces biometrics – there is no biometric security key with NFC made by Yubico
    3. Can possibly be used for authentication on mobile without need for Microsoft Authenticator
    4. May be difficult to set up for users, needs testing to see how NFC works in this regard.

Conditional Access:

  • Will use a variety of thoroughly planned Entra ID Conditional Access policies to enforce device, location, and auth method restrictions for accessing resources using security keys and other passwordless methods
    1. Require Passwordless MFA Mobile (Microsoft Authenticator)
      • Compliant Device
      • Auth method Microsoft Authenticator
      • Restricted to Android, iOS, Windows Mobile
    2. All policies related to M365 services will need either Phishing Resistant Passwordless MFA or Passwordless MFA as a condition in order to enforce the passwordless authentication type, which will need thorough testing


NIST 800-63:

  • IAL3 as determined by following section 6.1 of the SP 800-63-3 guidelines
    • At IAL3, in-person identity proofing is required. Identifying attributes must be verified by an authorized CSP representative through examination of physical documentation as described in SP 800-63A
  • AAL3 as determined by following section 6.2 of the SP 800-63-3 guidelines
    • AAL3 provides very high confidence that the claimant controls authenticator(s) registered to the subscriber. Authentication at AAL3 is based on proof of possession of a key through a cryptographic protocol. AAL3 is like AAL2 but also requires a “hard” cryptographic authenticator that provides verifier impersonation resistance.
  • FAL N/A as we are not federating