Session: BRK2333
This session focused on the new Microsoft Passport that is shipping with Windows 10 and Server 2016. This is different from the legacy “Passport” service that Microsoft used for past online services. These features are NOT available in down-level versions of Windows, such as Windows 8 or 7.
- Passwords are bad
- More than 2 billion people online in the world
- Shared secrets are easily breached, stolen or phished
- Introducing Microsoft Passport: Replace passwords with a private key (via PIN, Windows Hello, remote device, etc.)
- Windows 10 ships with 2 flavors of Passport: Support for both local passport and Passport2Go.
- User experience must be at least as good as passwords
- Based on certificate or asymmetrical key pair
- Public key of Passport is mapped to a user account
- Keys will ideally use those generated by TPM first, then software as a last resort
- Hardware-bound keys can be attested
- Single “unlock gesture” provides access to multiple credentials origin isolated
- Browser support via JS/Webcrypto APIs
- Can deploy via cloud/Azure or on-prem. On-prem will require using ADFS locally.
- You can do “passwordless” mode where the stored password is deleted (good for high privileged accounts)
- For on-prem you will need AD DS 10, AD FS 10, and optional PKI infrastructure
- Can use strong biometric authentication with ‘live-ness’ and anti-spoofing technology
