Passwordless strategy in HKUST

ITSC introduced Passwordless Strategy in 2020 Fall issue of Channel and it went pilot in late 2021. For users that are interested, you can now opt-in to try passwordless authentication.

Besides, we have recently extended the scope of Passwordless authentication to CAS logon (or SSO) and users are able to enjoy a seamless passwordless experience.  Password will only be needed in very rare occasions. Passwordless is positioned as an alternative to DUO 2FA, providing same level of security protection with better convenience. See below reasons why password-based authentication is obsolete:

  • Password is inconvenient, especially if complex combination is required
    • long password is hard to remember
    • non-alphabet password is difficult to type, especially when using mobile
  • Security weakness - easily being attacked because you type it on many different devices and in many occasions, increasing the chance of being eavesdropped
  • Need to be coupled with 2FA to make the authentication process secure, making it cumbersome
  • Overall, it is costly for both users and IT support

Implementation in HKUST

ITSC implemented Passwordless using Microsoft technology in the following services.

  Browser-based SSO (CAS logon) using Microsoft Authenticator APP Window 10/11 Sign On using Window Hello for Business (WHFB)
Introduction Microsoft Authenticator is a mobile app for Azure MFA and Passwordless.  In a situation if the Authenticator app cannot be used or network is not available, the login flow can fall back to password and MFA.
  • Window Hello for Business replaces password to provide secure access to Window 10/11, using either biometric or pin
  • It needs to be set up separately for EACH of the Window devices you may access
Usage Scenarios Sign on CAS and Office 365 apps with your mobile only, usually with the added security of biometric verification available in your mobile device
  • Safe login to your personal devices without the risk of typing password
  • Allows SSO to native Office 365 app and browser apps with Edge/Chrome/Firefox browser
  • Biometric sensors are optional as PIN can be used
  • You are required to register Azure MFA by installing the Microsoft Authenticator App or registering your mobile for SMS which are used to reset Windows Hello PIN or Biometric if necessary
Getting Start