您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

Azure Active Directory 的无密码 authentication 选项Passwordless authentication options for Azure Active Directory

多重身份验证(MFA)等功能是保护组织的一种好方法,但用户通常会在必须记住其密码的情况下使用额外的安全层。Features like multi-factor authentication (MFA) are a great way to secure your organization, but users often get frustrated with the additional security layer on top of having to remember their passwords. 无密码身份验证方法更为方便,因为密码会被删除并替换为你拥有的内容,以及你或你知道的内容。Passwordless authentication methods are more convenient because the password is removed and replaced with something you have, plus something you are or something you know.

身份验证Authentication 你拥有的东西Something you have 你或知道的内容Something you are or know
无密码Passwordless Windows 10 设备、电话号码或安全密钥Windows 10 Device, phone, or security key 生物识别或 PINBiometric or PIN

当涉及身份验证时,每个组织都有不同的需求。Each organization has different needs when it comes to authentication. Microsoft 提供了以下三个无密码 authentication 选项,这些选项与 Azure Active Directory (Azure AD)集成:Microsoft offers the following three passwordless authentication options that integrate with Azure Active Directory (Azure AD):

  • Windows Hello 企业版Windows Hello for Business
  • Microsoft Authenticator 应用Microsoft Authenticator app
  • FIDO2 安全密钥FIDO2 security keys

身份验证:安全性和便利性

Windows Hello 企业版Windows Hello for Business

Windows Hello 企业版非常适合拥有自己的指定 Windows PC 的信息工作者。Windows Hello for Business is ideal for information workers that have their own designated Windows PC. 生物识别和 PIN 凭据直接绑定到用户的 PC,这会阻止除所有者之外的任何人访问。The biometric and PIN credentials are directly tied to the user's PC, which prevents access from anyone other than the owner. 利用公钥基础结构(PKI)集成和单一登录(SSO)的内置支持,Windows Hello 企业版提供了一种方便的方法,可在本地和云中无缝访问公司资源。With public key infrastructure (PKI) integration and built-in support for single sign-on (SSO), Windows Hello for Business provides a convenient method for seamlessly accessing corporate resources on-premises and in the cloud.

使用 Windows Hello 企业版进行用户登录的示例

以下步骤演示了如何使用 Azure AD 的登录过程:The following steps show how the sign-in process works with Azure AD:

概述用户登录 Windows Hello 企业版所涉及步骤的示意图

  1. 用户使用生物识别或 PIN 手势登录 Windows。A user signs into Windows using biometric or PIN gesture. 手势会解除对 Windows Hello 企业版私钥的锁定,并发送到云身份验证安全支持提供程序(称为云 AP 提供程序)。The gesture unlocks the Windows Hello for Business private key and is sent to the Cloud Authentication security support provider, referred to as the Cloud AP provider.
  2. 云 AP 提供商请求 Azure AD 的 nonce。The Cloud AP provider requests a nonce from Azure AD.
  3. Azure AD 返回有效时间为5分钟的 nonce。Azure AD returns a nonce that's valid for 5 minutes.
  4. 云 AP 提供程序使用用户的私钥对 nonce 进行签名,并将签名的 nonce 返回到 Azure AD。The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Azure AD.
  5. Azure AD 使用用户安全注册的公钥对 nonce 签名进行签名。Azure AD validates the signed nonce using the user's securely registered public key against the nonce signature. 验证签名后,Azure AD 验证返回的签名 nonce。After validating the signature, Azure AD then validates the returned signed nonce. 验证 nonce 后,Azure AD 将使用已加密为设备传输密钥的会话密钥创建主刷新令牌(PRT),并将其返回给云 AP 提供商。When the nonce is validated, Azure AD creates a primary refresh token (PRT) with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.
  6. 云 AP 提供程序接收带会话密钥的加密 PRT。The Cloud AP provider receives the encrypted PRT with session key. 使用设备的专用传输密钥,云 AP 提供程序会解密会话密钥,并使用设备的受信任的平台模块(TPM)来保护会话密钥。Using the device's private transport key, the Cloud AP provider decrypts the session key and protects the session key using the device's Trusted Platform Module (TPM).
  7. 云 AP 提供程序向 Windows 返回成功的身份验证响应。The Cloud AP provider returns a successful authentication response to Windows. 这样,用户就可以访问 Windows 以及云和本地应用程序,而无需再次进行身份验证(SSO)。The user is then able to access Windows as well as cloud and on-premises applications without the need to authenticate again (SSO).

Windows Hello 企业版规划指南可用于帮助您决定 Windows Hello 企业版部署的类型以及需要考虑的选项。The Windows Hello for Business planning guide can be used to help you make decisions on the type of Windows Hello for Business deployment and the options you'll need to consider.

Microsoft Authenticator 应用Microsoft Authenticator App

你还可以允许员工的电话成为无密码的身份验证方法。You can also allow your employee's phone to become a passwordless authentication method. 除密码外,你可能已使用 Microsoft Authenticator 应用作为便利的多重身份验证选项。You may already be using the Microsoft Authenticator App as a convenient multi-factor authentication option in addition to a password. 你还可以使用验证器应用作为无密码选项。You can also use the Authenticator App as a passwordless option.

通过 Microsoft Authenticator 应用登录 Microsoft Edge

验证器应用会将任何 iOS 或 Android 手机变成强、无密码凭据。The Authenticator App turns any iOS or Android phone into a strong, passwordless credential. 用户可以通过以下方式登录到任何平台或浏览器:向其手机发送通知,将屏幕上显示的数字与电话上的数字匹配,然后使用生物识别(触摸或人脸)或 PIN 确认。Users can sign in to any platform or browser by getting a notification to their phone, matching a number displayed on the screen to the one on their phone, and then using their biometric (touch or face) or PIN to confirm. 有关安装的详细信息,请参阅下载并安装 Microsoft Authenticator 应用Refer to Download and install the Microsoft Authenticator app for installation details.

使用验证器应用的无密码 authentication 遵循与 Windows Hello 企业版相同的基本模式。Passwordless authentication using the Authenticator app follows the same basic pattern as Windows Hello for Business. 这会稍微复杂一些,因为需要识别用户,以便 Azure AD 可以找到正在使用的 Microsoft Authenticator 应用程序版本:It's a little more complicated as the user needs to be identified so that Azure AD can find the Microsoft Authenticator App version being used:

概述用户通过 Microsoft Authenticator 应用登录所涉及的步骤的示意图

  1. 用户输入用户名。The user enters their username.
  2. Azure AD 检测到用户具有强凭据并启动强凭据流。Azure AD detects that the user has a strong credential and starts the Strong Credential flow.
  3. 通过 iOS 设备上的 Apple Push Notification 服务(APNS)或 Android 设备上的 Firebase Cloud 消息(FCM)将通知发送到应用。A notification is sent to the app via Apple Push Notification Service (APNS) on iOS devices, or via Firebase Cloud Messaging (FCM) on Android devices.
  4. 用户收到推送通知并打开应用。The user receives the push notification and opens the app.
  5. 该应用程序调用 Azure AD,并收到一项存在证据和 nonce。The app calls Azure AD and receives a proof-of-presence challenge and nonce.
  6. 用户通过输入生物识别或 PIN 锁定私钥来完成质询。The user completes the challenge by entering their biometric or PIN to unlock private key.
  7. Nonce 用私钥签名并发送回 Azure AD。The nonce is signed with the private key and sent back to Azure AD.
  8. Azure AD 执行公钥/私钥验证并返回令牌。Azure AD performs public/private key validation and returns a token.

若要开始无密码登录,请完成以下操作方法:To get started with passwordless sign-in, complete the following how-to:

FIDO2 安全密钥FIDO2 security keys

FIDO2 安全密钥是基于 unphishable 标准的无密码身份验证方法,可采用任何形式。FIDO2 security keys are an unphishable standards-based passwordless authentication method that can come in any form factor. Fast Identity Online (FIDO)是无密码 authentication 的开放标准。Fast Identity Online (FIDO) is an open standard for passwordless authentication. FIDO 允许用户和组织利用标准登录到其资源,而无需使用外部安全密钥或设备内置的平台密钥。FIDO allows users and organizations to leverage the standard to sign in to their resources without a username or password using an external security key or a platform key built into a device.

员工可以使用安全密钥登录到其 Azure AD 或混合 Azure AD 加入 Windows 10 设备,并对其云和本地资源进行单一登录。Employees can use security keys to sign in to their Azure AD or hybrid Azure AD joined Windows 10 devices and get single-sign on to their cloud and on-premises resources. 用户还可以登录到受支持的浏览器。Users can also sign in to supported browsers. 对于安全敏感的企业而言,FIDO2 安全密钥是一个不错的选择,或者不愿意或无法使用其电话作为第二个因素的方案或员工。FIDO2 security keys are a great option for enterprises who are very security sensitive or have scenarios or employees who aren't willing or able to use their phone as a second factor.

通过 FIDO2 安全密钥登录到 Azure AD 当前为预览版。Sign-in with FIDO2 security keys to Azure AD are currently in preview.

使用安全密钥登录 Microsoft Edge

当用户使用 FIDO2 安全密钥登录时,将使用以下过程:The following process is used when a user signs in with a FIDO2 security key:

概述用户使用 FIDO2 安全密钥登录所涉及步骤的示意图

  1. 用户将 FIDO2 安全密钥插入到计算机中。The user plugs the FIDO2 security key into their computer.
  2. Windows 检测 FIDO2 安全密钥。Windows detects the FIDO2 security key.
  3. Windows 发送身份验证请求。Windows sends an authentication request.
  4. Azure AD 发回 nonce。Azure AD sends back a nonce.
  5. 用户完成其笔势以解锁存储在 FIDO2 安全密钥的 secure enclave 中的私钥。The user completes their gesture to unlock the private key stored in the FIDO2 security key's secure enclave.
  6. FIDO2 安全密钥用私钥对 nonce 进行签名。The FIDO2 security key signs the nonce with the private key.
  7. 带有签名 nonce 的主刷新令牌(PRT)令牌请求将发送到 Azure AD。The primary refresh token (PRT) token request with signed nonce is sent to Azure AD.
  8. Azure AD 使用 FIDO2 公钥验证签名 nonce。Azure AD verifies the signed nonce using the FIDO2 public key.
  9. Azure AD 返回 PRT 以启用对本地资源的访问。Azure AD returns PRT to enable access to on-premises resources.

尽管有很多密钥是通过 FIDO 联盟 FIDO2 认证的,但 Microsoft 需要由供应商实现的 FIDO2 客户端到验证器协议(CTAP)规范的一些可选扩展,以确保最高的安全性和最佳体验。While there are many keys that are FIDO2 certified by the FIDO Alliance, Microsoft requires some optional extensions of the FIDO2 Client-to-Authenticator Protocol (CTAP) specification to be implemented by the vendor to ensure maximum security and the best experience.

安全密钥必须实现 FIDO2 CTAP 协议中的以下功能和扩展,才能与 Microsoft 兼容:A security key MUST implement the following features and extensions from the FIDO2 CTAP protocol to be Microsoft-compatible:

# 功能/扩展信任Feature / Extension trust 为什么需要此功能或扩展?Why is this feature or extension required?
11 居民密钥Resident key 此功能使安全密钥可移植,其中的凭据存储在安全密钥上。This feature enables the security key to be portable, where your credential is stored on the security key.
22 客户端 pinClient pin 利用此功能,你可以使用另一个因素来保护凭据,并将其应用于没有用户界面的安全密钥。This feature enables you to protect your credentials with a second factor and applies to security keys that do not have a user interface.
33 hmac 密钥hmac-secret 此扩展可确保你可以在设备处于脱机状态或处于飞行模式时登录到你的设备。This extension ensures you can sign in to your device when it's off-line or in airplane mode.
44 每个 RP 多个帐户Multiple accounts per RP 此功能可确保你可以在多个服务(如 Microsoft 帐户和 Azure Active Directory)上使用相同的安全密钥。This feature ensures you can use the same security key across multiple services like Microsoft Account and Azure Active Directory.

以下提供商提供了 FIDO2 安全密钥,它们具有已知兼容无密码体验的不同形式因素。The following providers offer FIDO2 security keys of different form factors that are known to be compatible with the passwordless experience. 建议你通过联系供应商以及 FIDO 联盟来评估这些密钥的安全属性。We encourage you to evaluate the security properties of these keys by contacting the vendor as well as FIDO Alliance.

提供程序Provider 联系人Contact
YubicoYubico https://www.yubico.com/support/contact/
FeitianFeitian https://www.ftsafe.com/about/Contact_Us
HIDHID https://www.hidglobal.com/contact-us
EnsurityEnsurity https://www.ensurity.com/contact
TrustKey 解决方案TrustKey Solutions https://www.trustkeysolutions.com/security-keys/
AuthenTrendAuthenTrend https://authentrend.com/about-us/#pg-35-3
Gemalto 身份(Thales 组)Gemalto (Thales Group) https://safenet.gemalto.com/multi-factor-authentication/authenticators/passwordless-authentication/
OneSpan Inc。OneSpan Inc. https://www.onespan.com/products/fido
IDmelon 技术 Inc。IDmelon Technologies Inc. https://www.idmelon.com/#idmelon

备注

如果你购买并计划使用基于 NFC 的安全密钥,则需要为安全密钥提供支持的 NFC 读卡器。If you purchase and plan to use NFC-based security keys, you need a supported NFC reader for the security key. NFC 读卡器不是 Azure 要求或限制。The NFC reader isn't an Azure requirement or limitation. 有关支持的 NFC 读卡器的列表,请与供应商联系以获取基于 NFC 的安全密钥。Check with the vendor for your NFC-based security key for a list of supported NFC readers.

如果你是供应商,并且想要在此支持的设备列表上获取设备,请联系 Fido2Request@Microsoft.comIf you're a vendor and want to get your device on this list of supported devices, contact Fido2Request@Microsoft.com.

若要开始 FIDO2 安全密钥,请完成以下操作方法:To get started with FIDO2 security keys, complete the following how-to:

使用预览版的情况如何?What scenarios work with the preview?

Azure AD 无密码登录功能当前以预览版提供。Azure AD passwordless sign-in features are currently in preview. 请注意以下事项:The following considerations apply:

  • 管理员可以为其租户启用无密码 authentication 方法Administrators can enable passwordless authentication methods for their tenant
  • 对于每个方法,管理员可面向所有用户或选择其租户中的用户/组Administrators can target all users or select users/groups within their tenant for each method
  • 最终用户可以在其帐户门户中注册和管理这些无密码 authentication 方法End users can register and manage these passwordless authentication methods in their account portal
  • 最终用户可以用这些无密码身份验证方法登录End users can sign in with these passwordless authentication methods
    • Microsoft Authenticator 应用:在使用 Azure AD 身份验证的情况下工作,包括在所有浏览器中、在 Windows 10 开箱(OOBE)安装期间以及在任何操作系统上集成的移动应用。Microsoft Authenticator App: Works in scenarios where Azure AD authentication is used, including across all browsers, during Windows 10 Out Of Box (OOBE) setup, and with integrated mobile apps on any operating system.
    • 安全密钥:在受支持的浏览器(例如,旧边缘和新边缘)中,在 Windows 10 和 web 的锁定屏幕上工作。Security keys: Work on lock screen for Windows 10 and the web in supported browsers like Microsoft Edge (both legacy and new Edge).

选择无密码方法Choose a passwordless method

这三个无密码选项之间的选择取决于公司的安全、平台和应用要求。The choice between these three passwordless options depends on your company's security, platform, and app requirements.

下面是在选择 Microsoft 无密码技术时要考虑的一些因素:Here are some factors for you to consider when choosing Microsoft passwordless technology:

Windows Hello 企业版Windows Hello for Business 无密码 Microsoft Authenticator 应用登录Passwordless sign-in with the Microsoft Authenticator app FIDO2 安全密钥FIDO2 security keys
必备组件Pre-requisite Windows 10 版本 1809 或更高版本Windows 10, version 1809 or later
Azure Active DirectoryAzure Active Directory
Microsoft Authenticator 应用Microsoft Authenticator app
手机(运行 Android 6.0 或更高版本的 iOS 和 Android 设备。)Phone (iOS and Android devices running Android 6.0 or above.)
Windows 10 版本 1809 或更高版本Windows 10, version 1809 or later
Azure Active DirectoryAzure Active Directory
模式Mode 平台Platform 软件Software 硬件Hardware
系统和设备Systems and devices 带有内置受信任的平台模块(TPM)的 PCPC with a built-in Trusted Platform Module (TPM)
PIN 和生物识别识别PIN and biometrics recognition
电话上的 PIN 和生物识别识别PIN and biometrics recognition on phone FIDO2 兼容 Microsoft 的安全设备FIDO2 security devices that are Microsoft compatible
用户体验User experience 使用 PIN 或生物识别识别(面部、iris 或指纹)通过 Windows 设备登录。Sign in using a PIN or biometric recognition (facial, iris, or fingerprint) with Windows devices.
Windows Hello 身份验证已绑定到设备;用户需要设备和登录组件(如 PIN 或生物识别因素)来访问公司资源。Windows Hello authentication is tied to the device; the user needs both the device and a sign-in component such as a PIN or biometric factor to access corporate resources.
使用带有指纹扫描、面部或 iris 识别或 PIN 的移动电话登录。Sign in using a mobile phone with fingerprint scan, facial or iris recognition, or PIN.
用户从他们的 PC 或手机登录到工作帐户或个人帐户。Users sign in to work or personal account from their PC or mobile phone.
使用 FIDO2 security 设备登录(生物识别、PIN 和 NFC)Sign in using FIDO2 security device (biometrics, PIN, and NFC)
用户可以基于组织控制和使用设备(如 USB 安全密钥和启用了 NFC 的智能卡、密钥或可穿戴设备)的设备,基于 PIN、生物识别来访问设备。User can access device based on organization controls and authenticate based on PIN, biometrics using devices such as USB security keys and NFC-enabled smartcards, keys, or wearables.
启用的方案Enabled scenarios Windows 设备的无密码体验。Password-less experience with Windows device.
适用于专用于设备和应用程序的单一登录功能的工作 PC。Applicable for dedicated work PC with ability for single sign-on to device and applications.
使用移动电话的无密码的任意位置解决方案。Password-less anywhere solution using mobile phone.
适用于从任何设备访问 web 上的工作或个人应用程序。Applicable for accessing work or personal applications on the web from any device.
使用生物识别、PIN 和 NFC 的辅助角色的无密码体验。Password-less experience for workers using biometrics, PIN, and NFC.
适用于共享 Pc,并且移动电话不是可行的选项(如技术支持人员、公共展台或医院团队)Applicable for shared PCs and where a mobile phone is not a viable option (such as for help desk personnel, public kiosk, or hospital team)

使用下表选择支持和用户的方法。Use the following table to choose which method will support your requirements and users.

增添Persona 方案Scenario 环境Environment 无密码技术Passwordless technology
管理员Admin 安全访问设备以执行管理任务Secure access to a device for management tasks 分配的 Windows 10 设备Assigned Windows 10 device Windows Hello 企业版和/或 FIDO2 安全密钥Windows Hello for Business and/or FIDO2 security key
管理员Admin 非 Windows 设备上的管理任务Management tasks on non-Windows devices 移动或非 windows 设备Mobile or non-windows device 无密码 Microsoft Authenticator 应用登录Passwordless sign-in with the Microsoft Authenticator app
信息工作者Information worker 工作效率Productivity work 分配的 Windows 10 设备Assigned Windows 10 device Windows Hello 企业版和/或 FIDO2 安全密钥Windows Hello for Business and/or FIDO2 security key
信息工作者Information worker 工作效率Productivity work 移动或非 windows 设备Mobile or non-windows device 无密码 Microsoft Authenticator 应用登录Passwordless sign-in with the Microsoft Authenticator app
前端工作线程Frontline worker 工厂、植物、零售或数据输入中的网亭Kiosks in a factory, plant, retail, or data entry 共享 Windows 10 设备Shared Windows 10 devices FIDO2 安全密钥FIDO2 Security keys

后续步骤Next steps

若要开始 Azure AD 中的无密码,请完成以下操作方法之一:To get started with passwordless in Azure AD, complete one of the following how-tos: