Passwordless with Azure AD: The first digital password was created in the 1960s when MIT professor FernandoCorbato found that several users needed private access to the terminals of a giant time-sharing computer. Now digital passwords are everywhere and used for almost everything.
And passwords are there for a good reason. A good password is usually the first method of defense against cyber attacks. They can be an effective method of security but only really if the password is created correctly. As cybercrime has grown in frequency and complexity, passwords have started to become more complex with it, and even then it isn’t always effective at keeping attackers out.
Going Passwordless with Azure AD
According to expert IT Support Services in London, a strong password is typically long with at least 12 characters and includes lowercase and uppercase letters, numbers, and special characters all thrown together and most importantly – doesn’t include personal information like your childhood pet or your mother’s maiden name.
But the password method of security has also changed. We’re now seeing additional layers like one-time passwords and multi-factor authentication. These do work great and should be used but too many layers of security on top of having to remember complicated passwords can be frustrating for most people.
This is where passwordless authentication methods come in. TechQuarters, a trusted IT Support Company recommends incorporating passwordless authentication because not only is it more convenient and easy to start using, but it also offers a better level of security. All a user needs is a device like a computer, phone, or security key and use biometrics or a PIN.
When using Azure Active Directory (Azure AD) there are three passwordless authentication options for Microsoft Global Azure and Azure Government which is Windows Hello for Business, Microsoft Authenticator, and FIDO2 security keys. Let’s break down each one and how they work.
Windows Hello for Business
Windows Hello for Business is generally the first recommended and simplest option for passwordless authentication. It provides a fully integrated and reliable biometric authentication method that replaces passwords. Window Hello for Business is a strong two-factor authentication for devices and it relies on biometrics like fingerprint, facial recognition, or iris recognition.
After enrolment with an initial two-step verification, the user must set either a PIN or a biometric option. This biometric data is stored on the local device only and is never sent to any external devices or servers
This is an ideal option for most businesses with information workers that have their own personal and designated Windows PC. Between the information being directly tied to the PC and public key infrastructure integration and single-sign-on built-in support, Windows Hello for Business is made to be highly convenient and secure.
The Microsoft Authenticator security method relies on a user’s phone for passwordless authentication. The app on the phone turns any Android or iOs phone into a strong, passwordless credential service.
This means that when a user is trying to sign into any browser page or platform they will receive a notification on their phone asking to match the number displayed on the computer screen. After the number is entered the user must then use their biometric option like their fingerprint or face, or PIN to confirm the login.
Using the Microsoft Authenticator app for passwordless authentication follows the same basic pattern as Windows Hello for Business but is slightly more complicated as it needs two devices rather than one central one.
FIDO2 security keys
The FIDO2 security keys are another form of passwordless authentication that is considered unfishable and can come in any form factor. FIDO2 security keys aren’t for most businesses, Microsoft 365 Consulting providers only really suggest it to those that are very security sensitive or have employees who can’t use their phone as a second factor.
The Fast Identity Online (FIDO) Alliance was made to promote open authentication standards and basically reduce the use of passwords. FIDO2 incorporates the latest web authentication standard to allow users and businesses to use an external security key or platform key built into a device to sign in to their resources without a username or password.
Typically these security keys are USB devices but they can also use Bluetooth or NFC. Because this method is a hardware device, the security is highly secure as there’s no password to be exposed or even guessed.
In summary, choosing a passwordless method really depends on your company’s platform, app, and security requirements but it is a great option to start using. Passwordless authentication adds an extra layer of security that is less complex and confusing for the average user and thankfully with Azure AD, it has become very easy to set up and start using.