Azure Active Directory 的無密碼 authentication 選項Passwordless authentication options for Azure Active Directory

多重要素驗證(MFA)是保護組織安全的好方法,但是使用者通常會在必須記住密碼的情況下,使額外的安全性層感到沮喪。Multi-factor authentication (MFA) is a great way to secure your organization, but users often get frustrated with the additional security layer on top of having to remember their passwords. 無密碼驗證方法更方便,因為密碼已移除,並以您擁有的內容取代,再加上您所知的東西。Passwordless authentication methods are more convenient because the password is removed and replaced with something you have, plus something you are or something you know.

您擁有的內容Something you have 您或知道的東西Something you are or know
無密碼Passwordless Windows 10 裝置、電話或安全性金鑰Windows 10 Device, phone, or security key 生物識別或 PINBiometric or PIN

在驗證方面,每個組織都有不同的需求。Each organization has different needs when it comes to authentication. Microsoft 提供下列三種與 Azure Active Directory 整合的無密碼 authentication 選項(Azure AD):Microsoft offers the following three passwordless authentication options that integrate with Azure Active Directory (Azure AD):

  • Windows Hello 企業版Windows Hello for Business
  • Microsoft Authenticator 應用程式Microsoft Authenticator app
  • FIDO2 安全性金鑰FIDO2 security keys

驗證:安全性與便利性

Windows Hello 企業版Windows Hello for Business

Windows Hello 企業版適用于擁有自己指定 Windows 電腦的資訊工作者。Windows Hello for Business is ideal for information workers who have their own designated Windows PC. 生物識別和 PIN 會直接系結至使用者的電腦,以防止擁有者以外的任何人進行存取。The biometric and PIN is directly tied to the user's PC, which prevents access from anyone other than the owner. 使用公開金鑰基礎結構(PKI)整合和單一登入(SSO)的內建支援,Windows Hello 企業版提供便利的方法,讓您順暢地存取內部部署和雲端中的公司資源。With public key infrastructure (PKI) integration and built-in support for single sign-on (SSO), Windows Hello for Business provides a convenient method for seamlessly accessing corporate resources on-premises and in the cloud.

使用 Windows Hello 企業版的使用者登入範例

下列步驟顯示登入程式如何與 Azure Active Directory 搭配運作。The following steps show how the sign-in process works with Azure Active Directory.

概述使用 Windows Hello 企業版進行使用者登入所需步驟的圖表

  1. 使用者使用生物特徵辨識或 PIN 手勢登入 Windows。A user signs into Windows using biometric or PIN gesture. 筆勢會解除鎖定 Windows Hello 企業版的私密金鑰,並傳送至雲端驗證安全性支援提供者,稱為雲端 AP 提供者The gesture unlocks the Windows Hello for Business private key and is sent to the Cloud Authentication security support provider, referred to as the Cloud AP provider.
  2. 雲端 AP 提供者會向 Azure AD 要求 nonce。The Cloud AP provider requests a nonce from Azure AD.
  3. Azure AD 會傳回有效期限為5分鐘的 nonce。Azure AD returns a nonce that's valid for 5 minutes.
  4. 雲端 AP 提供者會使用使用者的私密金鑰來簽署 nonce,並將簽署的 nonce 傳回到 Azure AD。The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Azure AD.
  5. Azure AD 會使用使用者的安全註冊公開金鑰,來驗證簽署的 nonce 是否符合 nonce 簽章。Azure AD validates the signed nonce using the user's securely registered public key against the nonce signature. 驗證簽章之後,Azure AD 接著會驗證傳回的簽署 nonce。After validating the signature, Azure AD then validates the returned signed nonce. 當 nonce 通過驗證時,Azure AD 會建立主要重新整理權杖(PRT),並將工作階段金鑰加密為裝置的傳輸金鑰,並將它傳回給雲端 AP 提供者。When the nonce is validated, Azure AD creates a primary refresh token (PRT) with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.
  6. 雲端 AP 提供者會使用工作階段金鑰接收加密的 PRT。The Cloud AP provider receives the encrypted PRT with session key. 使用裝置的私用傳輸金鑰,雲端 AP 提供者會解密工作階段金鑰,並使用裝置的可信賴平臺模組(TPM)來保護工作階段金鑰。Using the device's private transport key, the Cloud AP provider decrypts the session key and protects the session key using the device's Trusted Platform Module (TPM).
  7. 雲端 AP 提供者會將成功的驗證回應傳回給 Windows。The Cloud AP provider returns a successful authentication response to Windows. 使用者接著可以存取 Windows 以及雲端和內部部署應用程式,而不需要再次驗證(SSO)。The user is then able to access Windows as well as cloud and on-premises applications without the need to authenticate again (SSO).

Windows Hello 企業版規劃指南可用來協助您決定要使用的 Windows Hello 企業版部署類型,以及您需要考慮的選項。The Windows Hello for Business planning guide can be used to help you make decisions on the type of Windows Hello for Business deployment and the options you'll need to consider.

Microsoft Authenticator 應用程式Microsoft Authenticator App

允許員工的電話成為無密碼的驗證方法。Allow your employee's phone to become a passwordless authentication method. 除了密碼以外,您可能已經使用 Microsoft Authenticator 應用程式作為便利的多重要素驗證選項。You may already be using the Microsoft Authenticator App as a convenient multi-factor authentication option in addition to a password. 您也可以使用驗證器應用程式作為無密碼選項。You can also use the Authenticator App as a passwordless option.

使用 Microsoft Authenticator 應用程式登入 Microsoft Edge

驗證器應用程式會將任何 iOS 或 Android 手機轉換成強式的無密碼認證。The Authenticator App turns any iOS or Android phone into a strong, passwordless credential. 使用者可以登入任何平臺或瀏覽器,方法是取得電話的通知,比對螢幕上顯示的數位與電話上的號碼,然後使用其生物識別(觸控或臉部)或 PIN 來確認。Users can sign in to any platform or browser by getting a notification to their phone, matching a number displayed on the screen to the one on their phone, and then using their biometric (touch or face) or PIN to confirm. 如需安裝詳細資料,請參閱下載並安裝 Microsoft Authenticator 應用程式Please refer to Download and install the Microsoft Authenticator app for installation details.

使用驗證器應用程式的無密碼 authentication 遵循與 Windows Hello 企業版相同的基本模式。Passwordless authentication using the Authenticator App follows the same basic pattern as Windows Hello for Business. 因為需要識別使用者,讓 Azure AD 可以找到所使用的 Microsoft Authenticator 應用程式版本,所以稍微複雜一點:It's a little more complicated as the user needs to be identified so that Azure AD can find the Microsoft Authenticator App version being used:

概述使用者使用 Microsoft Authenticator 應用程式登入所需步驟的圖表

  1. 使用者輸入其使用者名稱。The user enters their username.
  2. Azure AD 偵測到使用者具有強式認證,並啟動強式認證流程。Azure AD detects that the user has a strong credential and starts the Strong Credential flow.
  3. 系統會透過 iOS 裝置上的 Apple Push Notification Service (APNS),或透過 Android 裝置上的 Firebase 雲端通訊(FCM),將通知傳送至應用程式。A notification is sent to the app via Apple Push Notification Service (APNS) on iOS devices, or via Firebase Cloud Messaging (FCM) on Android devices.
  4. 使用者會收到推播通知,並開啟應用程式。The user receives the push notification and opens the app.
  5. 應用程式會呼叫 Azure AD 並接收證明的挑戰和 nonce。The app calls Azure AD and receives a proof-of-presence challenge and nonce.
  6. 使用者藉由輸入其生物識別或 PIN 碼來解除鎖定私密金鑰,來完成這項挑戰。The user completes the challenge by entering their biometric or PIN to unlock private key.
  7. Nonce 是以私密金鑰簽署,並傳送回 Azure AD。The nonce is signed with the private key and sent back to Azure AD.
  8. Azure AD 會執行公開/私密金鑰驗證,並傳回權杖。Azure AD performs public/private key validation and returns a token.

FIDO2 安全性金鑰FIDO2 security keys

FIDO2 安全性金鑰是一種以 unphishable 標準為基礎的無密碼驗證方法,可採用任何形式的規格。FIDO2 security keys are an unphishable standards-based passwordless authentication method that can come in any form factor. 快速身分識別線上(FIDO)是無密碼 authentication 的開放標準。Fast Identity Online (FIDO) is an open standard for passwordless authentication. FIDO 可讓使用者和組織利用外部安全性金鑰或裝置內建的平臺金鑰,使用標準來登入其資源,而不需要使用者名稱或密碼。FIDO allows users and organizations to leverage the standard to sign in to their resources without a username or password using an external security key or a platform key built into a device.

對於公開預覽,員工可以使用安全性金鑰來登入其 Azure AD 或混合式 Azure AD 加入的 Windows 10 裝置,並取得單一登入其雲端和內部部署資源。For public preview, employees can use security keys to sign in to their Azure AD or hybrid Azure AD joined Windows 10 devices and get single-sign on to their cloud and on-premises resources. 使用者也可以登入支援的瀏覽器。Users can also sign in to supported browsers. 對於安全性敏感的企業,或有不願意或無法使用其電話作為第二個因素的案例,FIDO2 安全性金鑰是很好的選擇。FIDO2 security keys are a great option for enterprises who are very security sensitive or have scenarios or employees who aren't willing or able to use their phone as a second factor.

使用安全性金鑰登入 Microsoft Edge

當使用者以 FIDO2 安全性金鑰登入時,會使用下列處理常式:The following process is used when a user signs in with a FIDO2 security key:

概述使用者以 FIDO2 安全性金鑰登入所需步驟的圖表

  1. 使用者會將 FIDO2 安全性金鑰插入電腦中。The user plugs the FIDO2 security key into their computer.
  2. Windows 會偵測 FIDO2 安全性金鑰。Windows detects the FIDO2 security key.
  3. Windows 會傳送驗證要求。Windows sends an authentication request.
  4. Azure AD 會傳回 nonce。Azure AD sends back a nonce.
  5. 使用者完成其手勢,將儲存在 FIDO2 安全性金鑰安全記憶體保護區中的私密金鑰解除鎖定。The user completes their gesture to unlock the private key stored in the FIDO2 security key's secure enclave.
  6. FIDO2 安全性金鑰會使用私密金鑰來簽署 nonce。The FIDO2 security key signs the nonce with the private key.
  7. 具有簽署 nonce 的主要重新整理權杖(PRT)權杖要求會傳送至 Azure AD。The primary refresh token (PRT) token request with signed nonce is sent to Azure AD.
  8. Azure AD 使用 FIDO2 公開金鑰來驗證簽署的 nonce。Azure AD verifies the signed nonce using the FIDO2 public key.
  9. Azure AD 會傳回 PRT,以啟用內部部署資源的存取權。Azure AD returns PRT to enable access to on-premises resources.

雖然 FIDO 聯盟有許多 FIDO2 認證的金鑰,但 Microsoft 還是需要由廠商實行的 FIDO2 用戶端對驗證器通訊協定(CTAP)規格的一些選用延伸模組,以確保最高的安全性和最佳體驗。While there are many keys that are FIDO2 certified by the FIDO Alliance, Microsoft requires some optional extensions of the FIDO2 Client-to-Authenticator Protocol (CTAP) specification to be implemented by the vendor to ensure maximum security and the best experience.

安全性金鑰必須將下列功能和延伸模組從 FIDO2 CTAP 通訊協定實作為 Microsoft 相容:A security key MUST implement the following features and extensions from the FIDO2 CTAP protocol to be Microsoft-compatible:

# 功能/延伸模組信任Feature / Extension trust 為什麼需要這項功能或延伸模組?Why is this feature or extension required?
11 常駐金鑰Resident key 這項功能可讓安全性金鑰成為可移植的,您的認證會儲存在安全性金鑰上。This feature enables the security key to be portable, where your credential is stored on the security key.
22 用戶端 pinClient pin 這項功能可讓您使用第二個因素來保護您的認證,並套用至沒有使用者介面的安全性金鑰。This feature enables you to protect your credentials with a second factor and applies to security keys that do not have a user interface.
33 hmac-秘密hmac-secret 此延伸模組可確保您可以在裝置離線或在飛機模式時,登入您的裝置。This extension ensures you can sign in to your device when it's off-line or in airplane mode.
44 每個 RP 的多個帳戶Multiple accounts per RP 這項功能可確保您可以在多個服務(例如 Microsoft 帳戶和 Azure Active Directory)上使用相同的安全性金鑰。This feature ensures you can use the same security key across multiple services like Microsoft Account and Azure Active Directory.

下列提供者提供 FIDO2 的安全性金鑰,這些是已知與無密碼體驗相容的不同外型規格。The following providers offer FIDO2 security keys of different form factors that are known to be compatible with the passwordless experience. 我們建議您透過聯繫廠商以及 FIDO 聯盟,來評估這些金鑰的安全性屬性。We encourage you to evaluate the security properties of these keys by contacting the vendor as well as FIDO Alliance.

提供者Provider 連絡人Contact
YubicoYubico https://www.yubico.com/support/contact/
FeitianFeitian https://www.ftsafe.com/about/Contact_Us
HIDHID https://www.hidglobal.com/contact-us
EnsurityEnsurity https://www.ensurity.com/contact
eWBMeWBM https://www.ewbm.com/support
AuthenTrendAuthenTrend https://authentrend.com/about-us/#pg-35-3
Gemalto (Thales 群組)Gemalto (Thales Group) https://safenet.gemalto.com/multi-factor-authentication/authenticators/passwordless-authentication/
OneSpan Inc。OneSpan Inc. https://www.onespan.com/products/fido
IDmelon 技術 Inc。IDmelon Technologies Inc. https://www.idmelon.com/#idmelon

注意

如果您購買並計畫使用 NFC 型安全性金鑰,您需要有支援的 NFC 讀取器來取得安全性金鑰。If you purchase and plan to use NFC-based security keys, you need a supported NFC reader for the security key. NFC 讀取器不是 Azure 需求或限制。The NFC reader isn't an Azure requirement or limitation. 請洽詢廠商以取得您的 NFC 型安全性金鑰,以取得支援的 NFC 讀取器清單。Check with the vendor for your NFC-based security key for a list of supported NFC readers.

如果您是廠商,而且想要在這份支援的裝置清單上取得您的Fido2Request@Microsoft.com裝置,請聯絡。If you're a vendor and want to get your device on this list of supported devices, contact Fido2Request@Microsoft.com.

哪些案例適用于預覽版?What scenarios work with the preview?

  • 系統管理員可以為其租使用者啟用無密碼 authentication 方法Administrators can enable passwordless authentication methods for their tenant
  • 系統管理員可以將所有使用者設為目標,或選取其租使用者中每個方法的使用者/群組Administrators can target all users or select users/groups within their tenant for each method
  • 使用者可以在其帳戶入口網站中註冊和管理這些無密碼驗證方法End users can register and manage these passwordless authentication methods in their account portal
  • 終端使用者可以使用這些無密碼的驗證方法登入End users can sign in with these passwordless authentication methods
    • Microsoft Authenticator 應用程式:適用于使用 Azure AD 驗證的案例,包括跨所有瀏覽器、在 Windows 10 全新(OOBE)安裝期間,以及任何作業系統上的整合式行動應用程式。Microsoft Authenticator App: Works in scenarios where Azure AD authentication is used, including across all browsers, during Windows 10 Out Of Box (OOBE) setup, and with integrated mobile apps on any operating system.
    • 安全性金鑰:在支援的瀏覽器(如 Microsoft Edge)(舊版和新邊緣)中,在 Windows 10 和 web 的鎖定畫面上工作。Security keys: Work on lock screen for Windows 10 and the web in supported browsers like Microsoft Edge (both legacy and new Edge).

選擇無密碼方法Choose a passwordless method

這三個無密碼選項之間的選擇取決於您公司的安全性、平臺和應用程式需求。The choice between these three passwordless options depends on your company's security, platform, and app requirements.

以下是您在選擇 Microsoft 無密碼技術時要考慮的一些因素:Here are some factors for you to consider when choosing Microsoft passwordless technology:

Windows Hello 企業版Windows Hello for Business 無密碼使用 Microsoft Authenticator 應用程式登入Passwordless sign-in with the Microsoft Authenticator app FIDO2 安全性金鑰FIDO2 security keys
先決條件Pre-requisite Windows 10,版本 1809 或更新版本Windows 10, version 1809 or later
Azure Active DirectoryAzure Active Directory
Microsoft Authenticator 應用程式Microsoft Authenticator app
電話(執行 Android 6.0 或更新版本的 iOS 和 Android 裝置)。Phone (iOS and Android devices running Android 6.0 or above.)
Windows 10,版本 1809 或更新版本Windows 10, version 1809 or later
Azure Active DirectoryAzure Active Directory
ModeMode 平台Platform 軟體Software 硬體Hardware
系統和裝置Systems and devices 具有內建信賴平臺模組(TPM)的電腦PC with a built-in Trusted Platform Module (TPM)
PIN 和生物識別辨識PIN and biometrics recognition
電話上的 PIN 和生物識別辨識PIN and biometrics recognition on phone FIDO2 與 Microsoft 相容的安全性裝置FIDO2 security devices that are Microsoft compatible
使用者經驗User experience 使用 PIN 或生物識別辨識(臉部、鳶尾花或指紋)來登入 Windows 裝置。Sign in using a PIN or biometric recognition (facial, iris, or fingerprint) with Windows devices.
Windows Hello 驗證會系結至裝置;使用者需要裝置和登入元件(例如 PIN 或生物特徵辨識因素)來存取公司資源。Windows Hello authentication is tied to the device; the user needs both the device and a sign-in component such as a PIN or biometric factor to access corporate resources.
使用具有指紋掃描、臉部或鳶尾花辨識或 PIN 的行動電話登入。Sign in using a mobile phone with fingerprint scan, facial or iris recognition, or PIN.
使用者從他們的電腦或行動電話登入公司或個人帳戶。Users sign in to work or personal account from their PC or mobile phone.
使用 FIDO2 安全性裝置(生物識別、PIN 和 NFC)登入Sign in using FIDO2 security device (biometrics, PIN, and NFC)
使用者可以根據組織控制來存取裝置,並根據 PIN 進行驗證、使用 USB 安全性金鑰和具備 NFC 功能的智慧卡、金鑰或穿戴式裝置等裝置進行生物識別。User can access device based on organization controls and authenticate based on PIN, biometrics using devices such as USB security keys and NFC-enabled smartcards, keys, or wearables.
啟用的案例Enabled scenarios Windows 裝置的密碼較少體驗。Password-less experience with Windows device.
適用于具有單一登入裝置和應用程式功能的專用工作電腦。Applicable for dedicated work PC with ability for single sign-on to device and applications.
使用行動電話的無密碼位置解決方案。Password-less anywhere solution using mobile phone.
適用于從任何裝置存取 web 上的工作或個人應用程式。Applicable for accessing work or personal applications on the web from any device.
使用生物識別、PIN 和 NFC 之背景工作角色的密碼較少體驗。Password-less experience for workers using biometrics, PIN, and NFC.
適用于共用的電腦,且行動電話不是可行的選項(例如技術支援人員、公用 kiosk 或醫院團隊)Applicable for shared PCs and where a mobile phone is not a viable option (such as for help desk personnel, public kiosk, or hospital team)

使用下表來選擇哪些方法將支援您的需求和使用者。Use the following table to choose which method will support your requirements and users.

生活Persona 案例Scenario 環境Environment 無密碼技術Passwordless technology
管理員Admin 保護裝置的存取權以進行管理工作Secure access to a device for management tasks 指派的 Windows 10 裝置Assigned Windows 10 device Windows Hello 企業版和(或) FIDO2 安全性金鑰Windows Hello for Business and/or FIDO2 security key
管理員Admin 非 Windows 裝置上的管理工作Management tasks on non-Windows devices 行動或非 windows 裝置Mobile or non-windows device 無密碼使用 Microsoft Authenticator 應用程式登入Passwordless sign-in with the Microsoft Authenticator app
資訊工作者Information worker 生產力工作Productivity work 指派的 Windows 10 裝置Assigned Windows 10 device Windows Hello 企業版和(或) FIDO2 安全性金鑰Windows Hello for Business and/or FIDO2 security key
資訊工作者Information worker 生產力工作Productivity work 行動或非 windows 裝置Mobile or non-windows device 無密碼使用 Microsoft Authenticator 應用程式登入Passwordless sign-in with the Microsoft Authenticator app
第一線背景工作Frontline worker 工廠、工廠、零售或資料輸入中的 kioskKiosks in a factory, plant, retail, or data entry 共用的 Windows 10 裝置Shared Windows 10 devices FIDO2 安全性金鑰FIDO2 Security keys

後續步驟Next steps

在您的組織中啟用 FIDO2 安全性金鑰無密碼選項Enable FIDO2 security key passwordless options in your organization

在您的組織中啟用以電話為基礎的無密碼選項Enable phone-based passwordless options in your organization

FIDO 聯盟FIDO Alliance

FIDO2 CTAP 規格FIDO2 CTAP specification