Passwordless strategy in HKUST (Pilot)

Background

In the 2020 Fall issue of Channel , we introduced our Single Sign-On and Passwordless Strategy. Here are the details.

  • Why Passwordless
    • Password is inconvenient, especially if complex combination is required
      • long password is hard to remember
      • non-alphabet password is difficult to type, especially when using mobile
    • Security weakness - easily being attacked because you type it on many different devices and in many occasions, increasing the chance of being eavesdropped
    • Need to be coupled with 2FA to make the authentication process secure, making it cumbersome
    • Overall, it is costly for both users and IT support

Implementation in HKUST

Microsoft has already implemented Passwordless in most of their cloud services.  Below are some examples. ITSC is now supporting these services for advanced users (Pilot).

 

  O365 Login using Microsoft Authenticator APP Window10/11 Login using Window Hello for Business
Introduction Microsoft Authenticator is a security APP for Passwordless.  In the rare situations that passwordless login is not supported, the process will fall back to password and 2FA.
  • Window Hello for Business replaces password to provide secure access to window10/11,  using either Biometric or Pin
  • It needs to be set up separately for EACH of the Window machines you may access
Usage Scenarios Login to Exchange Online, Office Web App, OneDrive, Teams, etc. with simple TAP on your mobile, usually with the added security of biometric verification with fingerprint
  • Safe login to your dedicated PC without the risk of typing password
  • It has the extra benefit of allowing Single Sign-On to Office when using common browsers including Edge/Chrome
Requirements
  • Must register the PC under Intune desktop management with AAD or Hybrid domain join
  • Biometric sensors are not mandatory since Pin can be used
  • You may be required to register to the Microsoft Multi-factor Authentication (MFA) by installing the MFA APP or registering your mobile for SMS.
Getting Start Using Passwordless Sign in with Microsoft Authenticator
Note
  • After you register the Microsoft Authenticator APP,  you can email to ITSC (cchelp@ust.hk) to request for an exemption of doing 2FA again with DUO.
  • The above only works for Office365 Logon.  HKUST authentication via CAS (for ERP applications and most web access) still make use of password and DUO 2FA.  We expect CAS will support the same passwordless scheme very soon.  

 

 

Conclusion

  • ITSC will be extending the scope of Passwordless to support CAS logon very soon. We expect users to be able to enjoy a seamless passwordless experience.  Password will only be needed in very rare occasions.
  • MFA passwordless is positioned as an alternative to DUO 2FA, providing same level of security protection but with better convenience.
  • For users who want to avoid typing password repeatedly for non-HKUST applications, they may consider 3rd-party Password manager tools like Lastpass and MacOS Keychain.  When using these tools, you should secure your master password by using 2FA