Passwordless Authentication

for Windows Login

Challenge/ Situation

Many organizations conclude that protecting their MS Windows logon with just a password is no longer sufficient. Persistent attacks are driving organizations to increase their defenses on the endpoint, which can be used as an entry point for ransomware attacks, amongst other things. Protecting the endpoint login with MFA (Multi-Factor Authentication) for accounts with administrator or system privileges is fast becoming a standard requirement to obtain or maintain cyber security insurance
.

This applies not only to local Windows login but also to Windows remote desktop (RDP) and virtual desktop (VDI) login. Some organizations look to their Identity & Access Management (IAM) providers for an MFA solution. But often find that, while these solutions provide a convenient single sign-on (SSO) portal for remote applications, including RDP, they
need an integrated solution to protect the local endpoint. They are adding another authentication solution to the mix to address the endpoint authentication risks creating silos of authentication solutions, especially when multiple operating systems (i.e., Windows, Mac, and Linux) must be considered.

Ideally, organizations need one integrated solution that provides passwordless MFA from OS login to the user’s remote applications, including RDP. The solution needs to be flexible enough to accommodate the organization’s particular needs and provide a consistent user experience regardless of the method used for authentication. It should not burden the user by requiring them to authenticate multiple times. For example, authentication with MFA to get into the local device, then authentication to the VPN with MFA, and finally, MFA into RDP could be a better user experience. Not one size fits all for users. Many solutions require phones with Push, OTP, or SMS (which most will be depreciated). Some users might not be able to use phones at all (or have other hardware limitations) and cannot easily deploy the solution within their organization. For example, governments and other agencies may require PIV cards, or others have a mandate to eliminate passwords. Some avoid phones, while others embrace them as the authentication device but require phishing resistance as part of their zero-trust strategy. It is a big challenge to find one solution with the flexibility and options to match the organization’s needs and provide users with a consistent user experience for all authentications.

RDP and VDI Log In

Most of the problems with setting up RDP for remote work involves making sure the connection is secure over the public internet. RDP is not a secure setup and therefore requires additional security measures to protect workstations and servers. In many cases, servers with RDP public access to the internet have failed to enable MFA. An attacker who compromises a user account by phishing the password or exposing a weak or reused password through a brute force attack can easily gain access to a user’s workstation via RDP. To mitigate this, many organizations do not expose RDP to the internet. Remote users are first required to connect to theinternal network via a VPN with MFA. It is a good first step, but from a Zero Trust perspective, someone on the internal network should not be more trusted than someone coming in from the internet. “A key tenet of a zero trust architecture is that no network is implicitly considered trusted” https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf. Also, it doesn’t meet the cyber security insurance requirement of MFA for
endpoints with admin privileges.

For VDI, the situation is very similar to that of Windows login.

Solution

WinMagic has the broadest set of choices for your Windows authentication to match your organization’s needs for moving to
Passwordless:

  • Phone Authenticator via Bluetooth Low Energy (BLE)
  • Trusted Platform Module/ Personal Identification Number (TPM/PIN)
  • Phone Authenticator via Network /IdP
  • Smartcard/Personal Identity Verification (PIV) Cards
  • USB Token (e.g. Yubikey)

These same methods can also be employed for pre-boot login if you use Full Disk Encryption, providing a consistent user experience. Better yet, once the user is authenticated to the endpoint, MagicEndpoint can provide “no user action” authentication to remote services seamlessly, directly, or as a delegated authentication service to your IAM

Check out the simplicity of MagicEndpoint Windows Authentication.

Passwordless Authentication for Windows Login

MagicEndpoint allows organizations to enable Windows logon by providing the tools to easily deploy and use
authentication that best suits their users.

Here is a summary of our solutions:

 Passwordless Phone Use Cases:

Passwordless Phone Authenticator via Bluetooth Low Energy (BLE)
For organizations that issue phones to employees and prefer this device for authentication, but are phasing out SMS, OTP, and Mobile Push because they are not phishing resistant, a BLE (Bluetooth Low Energy) mobile phone authenticator is a good choice. Unlike Out of Band (OOB) mobile authenticators, the BLE mobile authenticator locally communicates to the endpoint device and requires proximity to work. This proximity provides a strong association between the authenticator and endpoint to resist phishing. MagicEndpoint phone-based authenticator authenticates to the laptop via Bluetooth to provide the high-assurance, cryptographically enforced, MFA Passwordless login to the endpoint. Users don’t have to enter anything on the endpoint for a truly passwordless experience.

Passwordless Phone Authenticator with Network/IdP
For organizations that issue phones to employees and prefer this device for authentication but can’t use Bluetooth, MagicEndpoint supports mobile push at Windows Login for a consistent user experience.

 TPM/PIN Use Case:

The TPM hardware on the device itself is a good option for organizations that find external tokens and devices hard to manage. Users log into Windows using the TPM with a local PIN, and Windows Login is protected by the TPM and can be configured for SSO. The TPM PIN is local and cannot be attacked remotely, and TPM also provides hardware-based anti-hammering protection.

 Smart Cards, USB Tokens and PIV Card Use Case:

For organizations mandated to use Smart Cards, USB Tokens and PIV Cards for access control, users access Windows using their hardware tokens. Windows Login is protected by the hardware token and can be configured for SSO for the best user experience.

 MFA for IAM Solutions Use Case:

MagicEndpoint offers IAM solutions, like Okta, integration for Windows login.
Click here to watch MagicEndpoint PBA with Okta.

MagicEndpoint from WinMagic is the passwordless authentication solution that protects access by focusing on the endpoint, for the user. It requires no user action, and no third-party devices or keys, so it’s seamless, secure and virtually invisible.

Authenticate. Encrypt. Achieve.