It’s common knowledge that passwords are not strong enough by themselves and current recommendation is to avoid them or add an additional layer of security with 2FA or MFA.

On Windows ecosystem, this is more complicate as the underlying technologies (NTLM / Kerberos) didn’t evolved that much in the past decade: technically, you can only perform the authentication with a password or a certificate. Any solution on top of that just adds additional layer/process to deliver such sesame, but legacy mechanisms remains and are even heavy used behind the scene.

If you’re using an authentication system (through a new Credential Provider as the authentication endpoint) to open your Windows session without setting-up PKI or entering the password each time you want to log-on, then you’re probably fooled as it means your secrets are cached somewhere. Everything else is just convenience and marketing.

No rocket science, that’s what we do as well with Leosac Desktop Authentication to use RFID/NFC card for Windows log-on. First of all, it is a convenience solution. It is still considered as a secure solution sometimes as it improve the overall security because of the customer constraints into their specific environment. It is even a strong solution for identification only and 2FA setups. But if you’re looking to really get rid of passwords, for something as secure as PKI, and have the infrastructure and the budget then, well, use PKI… Rather, think of this type of solution as an intermediate, at a much lower cost.