Passwordless, are we there yet? Even though Passwordless means different things to different people, in my interpretation of user initiated password obsolescence I’ve minimised typing passwords as much as possible. In this post I’ll detail how.
You don’t need to wait for your organisation to start promoting and urging you to go passwordless. In my experience the majority of larger enterprises have the capabilities already enabled. As an end user you will need a few items to make life seamless and go passwordless yourself.
Late last year (2021) I started with a new employer. I was issued a new managed laptop and was provided my UserID and initial Password all remotely … because 2021. This was the first time I’ve had a company issued device is over 6 years. I decided before I even unboxed it, I was going to experiment with the challenge of only ever typing my corporate identity password once (i.e., that very first login).
My primary goal logging in the first time was to proof-up my profile with additional authentication mechanisms, change my password and never type it again.
Ideally rather than being issued an initial password the new preview feature “Azure Temporary Access Pass” could have been used.
On my newly issued Windows 10 laptop, my first logon and additional authentication methods enrolment process went like this.
So far, I had typed my new corporate identity account password once. Just for that initial login. I had previous created an entry for the account in 1Password and used copy and paste from the notification that gave me the initial password. BUT the one omission from the above process is BitLocker. That important by annoyingly independent and isolated BIOS and OS driven hard-drive encryption. There is no way around that, but that password is also in 1Password as is only required on restart. And that is rare and usually after patch updates.
Now that my Windows 10 laptop and my Azure Active Directory (and subsequently Active Directory) accounts were enrolled and secured it was time to configure my mobile phone to allow access to my Microsoft Exchange Online mailbox (via Outlook for iOS) and Teams for meetings and chat.
I already had 1Password on my mobile phone, so knew that it had the new password for my Azure AD Account. Adding my new Exchange Inbox to Outlook on mobile and signing into Teams triggered the MDM enrolment process. I simply had to set a PIN for the apps even though authentication will be with FaceID. Naturally I stored the PIN in 1Password. The PIN is used as a fallback for biometrics (if FaceID fails). Needless to say, I’ve never entered the PIN.
Each day I unlock my laptop using Windows Hello and my laptops webcam. Each time I walk away from my laptop I lock it using Win + L or it will auto-lock when my mobile phones’ Bluetooth connection disconnects. The laptop auto-locks using the Windows 10 Dynamic Lock feature (see Account Protection settings below). Each month when prompted to change my password I change it using Azure AD change password (under My Account in Azure AD). I do it this way as it uses my browser with the 1Password extension, so I don’t need to know or type the current password to set a new one. The new one is also auto generated and populated by 1Password.
If I’m logging into an application that isn’t directly integrated with Azure AD for SSO and I’m presented the Azure AD login window I use the Sign in with Windows Hello or a security key option. As a fallback I could use the FIDO2 token, but the Windows Hello camera fires up and I’m in.
When using my mobile phone with Outlook or Teams these applications auto-unlock using the iPhone FaceID.
In addition to Account Protection on Windows 10 and above I recommend enabling Dynamic Lock. By pairing your mobile phone using Bluetooth to your Windows 10/11 machine you can then enable Dynamic Lock. This setting automatically locks your PC when you move away from your PC with your mobile phone. You should of course use the Win + L shortcut to lock your PC, but if you forget this is a good fallback. Enable under Windows Security => Account protection.
Also located under Account Protection is where you setup Windows Hello as I did after my first sign-in.
Whilst not completely passwordless in the strictest sense, I haven’t typed my Azure AD account password in since the very first login. In the strictest sense a temporary access pass could have been issued and phish proof methods of authentication setup and solely used. Technically there is a password on my account and my password manager knows what it is. But through biometrics it never gets used. There is also the BitLocker password on the laptop that once a month needs to be typed after Windows restarting.
On my phone everything is FaceID driven (phone unlock, MDM protected application opening, and unlocking authenticator). On my laptop everything is Windows Hello or biometric token driven. Other than using 1Password to retrieve the account password to change it each month, it never gets retrieved.
From a user driven user experience it is very passwordless. I don’t know what my password is and will never have to type it.
A few weeks back the Microsoft AI Tour was in Sydney Australia. There was a…
If you're anything like me you always have PowerShell open, and often both PowerShell and…
Decentralised Identity is a technology I'm passionate about and have written many posts and tools…
Over two years ago I authored a PowerShell Module that enabled the automation of 1Password.…
Buried in my PowerShell Snippets Vol 4 post from 2021 is the PowerShell script and…
Short post on how to recovery from "The Windows Subsystem for Linux instance has terminated"…
This website uses cookies.