The ultimate goal for every organization is to remove the use of passwords as part of sign-in events. Passwords are not natural to humans. This makes them a burden for every user which results to usage of weak passwords, same password on multiple systems, write down passwords on notes or change the expired password with just one character change. This are just some of the few reasons that make the passwords weak form of authentication.
Is Multi Factor Authentication (MFA) the solution?
Yes, it is a valid solution to implement Multi Factor Authentication (MFA) along with the need of password change over period of time. MFA protects accounts and data providing additional factor for security be it your phone authenticator app, SMS (which is not recommended) or more advanced TOTP based security key. Todays cloud first approach demands better protection in Internet. The cloud is open to for access from everywhere which differs from the traditional closed down and protected enterprise environments.
What is the solution?
Passwordless authentication is the way to go. Unfortunately we are not completely there yet but we can do a lot to use passwords as rarely as possible. Each organization has different needs when it comes to authentication. I will make a series of posts detailing the following three passwordless authentication options by Microsoft that integrate with Azure Active Directory (Azure AD):
- Windows Hello for Business
- Microsoft Authenticator app
- FIDO2 security keys
This are all the possible scenarios:
- Administrators can enable passwordless authentication methods for their tenant
- Administrators can target all users or select users/groups within their tenant for each method
- End users can register and manage these passwordless authentication methods in their account portal
- End users can sign in with these passwordless authentication methods
- Microsoft Authenticator App: Works in scenarios where Azure AD authentication is used, including across all browsers, during Windows 10 Out Of Box (OOBE) setup, and with integrated mobile apps on any operating system.
- Security keys: Work on lock screen for Windows 10 and the web in supported browsers like Microsoft Edge (both legacy and new Edge).
Use the following table to choose which method will support your requirements and users.
Person | Scenario | Environment | Passwordless technology |
---|---|---|---|
Admin | Secure access to a device for management tasks | Assigned Windows 10 device | Windows Hello for Business FIDO2 security key Microsoft Authenticator app |
Admin | Management tasks on non-Windows devices | Mobile or non-windows device | Microsoft Authenticator app |
Employee | Productivity work | Assigned Windows 10 device | Windows Hello for Business FIDO2 security key Microsoft Authenticator app |
Employee | Productivity work | Mobile or non-windows device | Microsoft Authenticator app |
Frontline worker | Kiosks in a factory, plant, retail, or data entry | Shared Windows 10 devices | FIDO2 Security keys Microsoft Authenticator app |