Going Passwordless Sortof
Going Passwordless Sortof
So, you have Windows 10 setup with Microsoft 365 Azure cloud or you have Microsoft Hello setup or Bitlocker Encryption or all of the above and you are wondering if there is any way to be even more secure.
Well, here at Fast Assist, we utilize Duo Security integrated with Azure for Multi-Factor Authentication. Fast Assist is a Duo Security reseller and there are a lot of security enhancements to having Duo Security. Duo Security makes it to where our staff cannot use devices that don’t meet minimum security requirements to access our Microsoft 365 tenant. This means that they must have local admin rights on the device that they are signing in from too. You can accomplish this with Microsoft Intune too if you have a Microsoft 365 Business Premium or higher tier license but Duo Security goes beyond Microsoft 365 and supports many cloud applications natively and also makes for an excellent OTP token MFA app for cloud services that don’t have an API yet.
In addition to Duo Security, we have also been testing Yubikeys in conjunction with Duo Security. A Yubikey is a piece of hardware that works kind of like a smart card but allows for multiple methods of digital authentication. There is even a biometric version of the Yubikey on its way into production.
The Yubikey goes on your key chain and stays in your control. When you need to authenticate, you can plug it into a USB or USB-C or Lightning port depending upon the Yubikey. Some support multiple ports with the same Yubikey.
With my own Yubikey, I now have Bitwarden and Microsoft Hello configured with a password/pincode that is a combination of characters that I type in by hand from memory plus a long string of characters generated by my Yubikey. This method uses a static automatically generated code stored on slot 2 of the Yubikey. This means that the Yubikey alone doesn’t get you into my devices by itself.
Slot 1 of the Yubikey is used for authentication with things like Duo Security. The code it generates is not static. It is completely random each time the Yubikey is used. Depending on what I am authenticating with, I will either tap or long tap my Yubikey. A short tap accesses slot 1 and a long tap accesses slot 2.
The Yubikey I have is a FIPS Yubikey. There is also an NFC model. The NFC or other specific models are required if you want to use Microsoft’s 100% passwordless authentication using a secure key such as the Yubikey. So you need to do some research before purchasing just any Yubikey.
With Duo Security you can control what methods of Multi Factor authentication your end users can utilize. For example. You can restrict the use of SMS or OTP authentication and require something like the Yubikey instead. We require biometric input on some of our resources.
So the answer is yes, there are many options to increase the robustness of your identity management and authentication.