Code Library

Authentication methods are moving at a faster pace than ever before. Think about it for a moment:
you sign in to your laptop and then open your browser to go to your favorite websites where you again sign in. In these instances, you are not always using your corporate credentials. If you hear of a
new service and want to access it, the chances are that you will be prompted to sign up and use
credentials from, for example, your public Microsoft account, Facebook, Google, and so on. The
traditional paradigm of using a dedicated identity authentication provider that you build as an
application developer is moving on and we are now using more “well-known” services like those just
mentioned.

Microsoft Passport is a new key-based authentication method that goes beyond passwords to mitigate traditional authentication attacks. A user enrolls for Microsoft Passport but must ensure that the authentication provider she uses supports Fast Identity Online (FIDO) authentication; thus, through a two-step process, the user sets up Microsoft Passport on her device and sets a gesture or PIN. This can then be used to authenticate the user via Microsoft Passport

During the setup, a certificate of asymmetric key–pair is stored on the device. The private key is stored within the TPM chip on the device. The private key never leaves the device during the authentication process. The public key is registered in Azure Active Directory and Windows Server Active Directory. The user account has a mapping between the public and private key, which helps to validate the user. Additional controls are implemented via One Time Passwords, Phonefactor, and so on.

Source of Information : Microsoft Introduction Windows Server 2016