Microsoft says enterprises can now roll out the use of security keys at scale, as it launches a public preview of FIDO2 security key support in Azure Active Directory (AD). The move is a major step towards a passwordless enterprise environment. (Azure AD is Microsoft’s identity and access management platform).

Security keys are available in a range of form factors, but commonly come as small USB key fob that creates a public and private key when registered. The private key can only be unlocked using a local gesture such as a biometric or PIN. Users have the option to either sign in directly via biometric recognition—such as fingerprint scan, facial recognition, or iris scan—or with a PIN that’s locked and secured on the device.

Microsoft Security Key Support 

The move will be welcomed by many businesses concerned at the growing ease with which passwords can be brute forced, or otherwise compromised: that is if they have not been stolen in a data breach already.

An estimated 81 percent of successful cyberattacks begin with a compromised username/password and there is no shortage of those in the wild: https://haveibeenpwned.com lists 551,509,767 real world passwords previously exposed in data breaches.

Alex Simons, a VP in Microsoft’s Identity and Security department, said the company has also “turned on a new set of admin capabilities in the Azure AD portal that enable you to manage authentication factors for users and groups in your organization.”

This currently lets admins use either security keys or Microsoft’s Authenticator application for authentication. (The latter is a Microsoft app that lets employees augment a password with a one-time passcode or push notification; instead of using a password, users confirm their identity using mobile phone through fingerprint scan, facial or iris recognition, or PINfor authentication.)

Simons added: “You’ll see us add the ability to manage all our traditional authentication factors (Multi-Factor Authentication, OATH Tokens, phone number sign in, etc.). Our goal is to enable you to use this one tool to manage all your authentication factors.”

Microsoft has tested five FIDO2 (an industry security standard)-certified security keys and has active promotions ongoing with three: Yubico, HID and Feitian Technologies; they offer a range of form factors, including biometric devices and USB security keys.

(Yubico, for example, is offering complimentary YubiKey Starter Kits to “organizations with Microsoft 365 customers who are interested in beginning their passwordless journey.” This includes two multi-protocol YubiKeys. Feitian is offering the first 500 Microsoft-referred clients a 30 discount on its biometric keys.

As Microsoft added in a whitepaper: “It’s common practice for IT to attempt lessening password risk by employing stronger password complexity and demanding more frequent password changes. However, these tactics drive up IT help desk costs while leading to poor user experiences related to password-reset requirements. Most importantly, this approach isn’t enough for current cybersecurity threats and doesn’t deliver on organizational information security needs.”

See also: Android Security Keys: Now you can Hold 2FA Keys on Your Smartphone