Password-less Authentication for Administrators Using PowerBroker for Windows

Morey Haber, Chief Technology Officer
April 30th, 2018

Microsoft has been touting their new password-less authentication technology and integration with hardware vendors. If you have not seen what this is all about, I suggest you watch this Ignite session from late last year to understand some of the principals. In summary, whether it is using biometrics in conjunction with Microsoft Hello technology, or a smartphone to provide a form of two-factor authentication (potentially FIDO compliant), the concept is the same – you are using unique traits about yourself, the technology you have in your possession, and strong cryptography to verify your identity.

But here is the rub. What if this works perfectly and authenticates you to a system as a Standard User (a security best practice), but you need administrator access to add a printer or execute an application? You have choices like Microsoft LAPS, but that will expose the local administrator password, which creates unwelcome risks. So how do you grant access to a feature or application as an administrator and continue the password-less paradigm? PowerBroker for Windows can make that happen on desktops and servers—even if no biometrics are available.

How PowerBroker for Windows can help achieve password-less authentication

PowerBroker for Windows is a patented solution that can apply application recognition based on user or asset, and is context-aware to elevate a program or operating system feature to administrator (or with a custom token) to precise privileges needed to execute, without requiring a password or responding to a UAC prompt.

When you think about it, this is really a huge deal. Microsoft is enabling users to logon to systems without passwords and PowerBroker for Windows can selectively elevate applications to administrative privilege—all without a single password being entered! And, if the application being elevated needs real domain or local administrative rights due to legacy dependencies, PowerBroker for Windows can seamlessly integrate into PowerBroker Password Safe to retrieve a legacy password via a secure API, and also apply it to the application as a “Run As” without ever exposing the password to the end user. This means that regardless of the application is running locally as an administrator, or must communicate over the network with legacy password-based credentials, it will work as a password-less solution in compliance with Microsoft’s latest initiatives to remove passwords from the needs of users.

While the cybersecurity community has identified passwords as one of the weakest security links, initiatives like password-less authentication are designed to bolster authentication and remove the burden from end users. The end result makes it harder for threat actors to compromise credentials and elevate privileges. Using a password-less system just became easy with PowerBroker for Windows since now you can even elevate applications without needing a password.

For more on how PowerBroker for Windows can help, request a demo or contact us today.

Morey Haber, Chief Technology Officer

With more than 20 years of IT industry experience and author of Privileged Attack Vectors, Mr. Haber joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition. He currently oversees BeyondTrust technology for both vulnerability and privileged access management solutions. In 2004, Mr. Haber joined eEye as the Director of Security Engineering and was responsible for strategic business discussions and vulnerability management architectures in Fortune 500 clients. Prior to eEye, he was a Development Manager for Computer Associates, Inc. (CA), responsible for new product beta cycles and named customer accounts. Mr. Haber began his career as a Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelors of Science in Electrical Engineering from the State University of New York at Stony Brook.