Identity & Access Management , Multi-factor & Risk-based Authentication , Security Operations
Microsoft Brings Passkeys, Bad Code Protection to Windows 11
Windows 11 Now Offers Passwordless Authentication, Config Refresh, Policy ControlMicrosoft updated Windows 11 on Tuesday to simplify passwordless adoption, protect against malicious code and have the ability to refresh configuration in the event of tampering.
See Also: Mitigating Identity Risks, Lateral Movement and Privilege Escalation
The Seattle-area software and cloud computing giant said enhancements to the Windows 11 operating system will allow users to replace passwords with passkeys to prevent hackers from exploiting stolen passwords through phishing attacks. Passkeys create a unique, un-guessable cryptographic credential that's stored on the user's device, and Microsoft said it is promoting passkeys as part of the FIDO Alliance (see: Apple, Google, Microsoft Unite to Make Passwordless Easier).
"Instead of using a username and password to sign in to a website or application, Windows 11 users will be able to use and protect passkeys using Windows Hello or Windows Hello for Business on their phone," David Weston, vice president of enterprise and OS security at Microsoft, wrote in a blog post. "This will enable users to sign in to the site or app using their face, fingerprint or device PIN."
A Future Without Passwords
Going forward, Weston said, website or application owners will be able to create a passkey and offer it to users as a sign-in option instead of their password. Passkeys on Windows 11 will work on multiple browsers including Edge, Chrome and Firefox, Weston said. Microsoft declined to make Weston available to Information Security Media Group for additional comment.
Once users create a passkey on their device, the website or app in question will automatically recognize that users have their passkeys the next time they attempt to sign in. Users of Windows Hello or Windows Hello for Business will be able to use their face, PIN or fingerprint to sign in more easily, and they can complete the application sign-in process using their phone initiated by a QR code, Weston said.
"This will enable users to sign in to the site or app using their face, fingerprint or device PIN."
– David Weston, vice president of enterprise and OS security, Microsoft
In addition, organizations that have Windows 11 devices and passkeys can help protect user identities by eliminating the need to use passwords from day one. The organization's IT department can now set a policy for machines with Microsoft Entra ID - formerly known as Azure Active Directory - so users no longer see the option to enter a password when accessing company resources, according to Weston.
Once the policy is set, Weston said, Microsoft will remove passwords both for device unlock as well as in-session authentication scenarios, meaning that users can navigate through their core authentication scenarios using strong, phish-resistant passkeys. If necessary, users can take advantage of recovery mechanisms such as PIN resets or web sign-in, he said (see: Microsoft Exec on Why FIDO Authentication Beats Certificates).
Protecting Applications and Systems From Bad Actors
Outside of passwords, Microsoft has doubled down on application control to prevent unwanted or malicious code from running by only allowing approved or trusted applications onto devices. Firms using Windows 10 and above continue to have access to application control, while companies using Microsoft Intune to manage their devices can now configure application control in the administrative console.
Finally, Microsoft now allows users to reset Windows 11 devices every 90 minutes by default - or every 30 minutes if desired - using configuration refresh, ensuring that organizations retain their settings in the way IT configured them. The refresh means companies can revert their policies to a secured state if they've been disrupted by potentially unwanted applications or users tampering with the registry.
To ensure help desk technicians support their teams more efficiently, Weston said configuration refresh can be paused by IT administrators for a specified period of time, after which it will be automatically re-enabled. IT administrators also can turn configuration refresh back on at any time, The tool is currently available to members of Microsoft's software testing program and is coming soon to all organizations.