Is there light at the end of the Password Tunnel of Pain?
Passwords continue to be a massive problem for IT Providers, businesses, end-users and in general most of humanity. I must tread carefully here… There have been options for “Passwordless” authentication, but Microsoft has now joined in and made Passwordless Authentication available at all levels of Azure AD (including the free level). What does this mean?
Passwordless I hear you ask in a confused voice. Yes, the archaic means of protecting everything we do with technology is still generally via a memorised secret, that is widely demonstrated to be incompatible with how the human mind works. In more recent times, IT teams have ensured passwords are more complex and hence more secure, mandating 27 characters, non-sequential, lowercase, uppercase, etc – but then nobody can remember them or type them, it causes anger, fury and unpleasant support calls. The next evolution has been to buy Password Vault software to remember your passwords for you – this sort of works, but even in the last few weeks there has been news of password vault vendors having their data stolen. Passwords don’t really work anymore.
We all want shot of passwords, so how does Microsoft’s Passwordless Authentication work?
Microsoft describe three types of Passwordless Authentication
First being Windows Hello for Business – it uses biometrics (face) and/or a PIN that can only be accepted on that device, to allow you to access your account. Great for securing corporate devices – I’ve been using it for years and it works.
Second – this is the big change, is via Microsoft Authenticator App, many of us will be used to using this or similar (such as google authenticator). Some extra features in the Microsoft Authenticator enable Passwordless authentication – the user is prompted on screen by a two-digit code, they then must pick the matching code from the Authenticator App, biometric validation on the phone adds further protection. Rapid login without any password remembering or resetting.
Third – FIDO2 token, this is more expensive/complex – definitely more enterprise, it allows authentication via a secondary hardware device that needs to be connected to the device you are authenticating on – typically a USB key, but there are also Bluetooth or NFC options. Some of these devices also have a biometric factor built into them for extra protection.
Recommendation for MSPs – consider making Passwordless standard via Microsoft Authenticator
Everyone using Office 365 services should already have MFA in place as a baseline level of security, the Passwordless option is a very simple next step that delivers a smoother IT experience to end users while still providing a good level of security.
Simple process to enable
- Enable for Tenant – can be done via Powershell – we will make this an option in Atria.
User Process to Enable:
- Users register themselves for the passwordless authentication method of Azure AD by using the following steps:
- Browse to https://aka.ms/mysecurityinfo and login (using a password!!)
- Add the Authenticator app by selecting Add method > Authenticator app, then Add.
- Follow instructions to install and configure the Microsoft Authenticator app on your device.
- In Microsoft Authenticator, pick Enable phone sign-in from the menu for the user account you just created.
- Follow the instructions to enable the account for passwordless phone sign-in.
If you are already using the Microsoft Authenticator app, you just need to find the correct account in Authenticator, then select “Enable phone sign-in” from the menu (step 5 onwards above)
Summary
For Atria customers one of the ongoing challenges with Hybrid identity is dealing with passwords in Active Directory and Azure AD, to solve you need to either implement ADFS and then be restricted by older technology, or you have to deploy and manage software (Azure AD Connect) to synchronize passwords between directories. Both work, but there is always a compromise.
Passwordless using Microsoft Authenticator helps solve the problem, we should no longer need to bother the user with expiring or changing passwords in multiple places and authentication should be a much simpler experience.
We will provide further guidance to customers on how Atria can help you to deploy this solution.
Further Reading
Overview of how Passwordless sign-in works:
Azure Active Directory passwordless sign-in | Microsoft Docs
Microsoft Guidance on how to setup
Passwordless sign-in with the Microsoft Authenticator app – Azure Active Directory | Microsoft Docs