Table of Contents
After successfully implementing passwordless authentication for a large number of users, I am left wondering why more organizations have not adopted this low-hanging fruit. Even our free Azure AD subscription includes passwordless authentication for both internal and external users.
Passwordless is a combination of our user's identity in Azure AD and our device's identity, since we are binding our identities together as humans and devices. To make passwordless a success, I have used the following tools:
- Windows Hello for Business (Windows device)
- Microsoft Authenticator (Smartphone application)
- FIDO2 security keys (Small piece of hardware)
- Temporary Access Pass (Allows users to temporary configure strong authentication)
- Monitoring and Activity
Understand this: passwordless authentication is here to stay FOREVER and will only enhance the security of our infrastructure, so for how much longer will you ignore the possibilities?
- Passwordless is not in beta.
- Passwordless is not difficult to implement, nor is it challenging for users to understand.
- Passwordless is not ADFS Certificate Based Authentication (you lack the eco system and cloud security intelligence).
- Passwordless is not ineffective when your applications require a password for authentication (Hybrid Cloud Kerberos Trust Deployment).
- Onboarding new users to truly passwordless has never been easier or more secure than with the Temporary Access Pass (TAP).
- As you implement, you will gain an understanding of your envoirments' readiness. Many people have no idea what authentication protocol is being used.
It's understandable that we appreciate our passwords, given that they've kept us safe for so long and have been such an integral part of any authentication ecosystem. However, times are changing, and we need to put passwordless on the agenda. Unfortunately, many businesses continue to use their passwords. Many governments have security recommendations, and for some reason, they still recommend "strong" passwords.
Executives typically follow these recommendations, but they lack the time and expertise to understand passwordless authentication and should seek assistance from IT professionals.
What is Passwordless?
Passwordless authentication is the experience one has when securely accessing digital resources without the use of a password. Passwordless authentication uses concepts like biometrics (facial recognition or a fingerprint), single sign-on (SSO), and multifactor authentication to move beyond vulnerable passwords.
Passwordless in Azure Active Directory (Azure AD) is built on top of OAuth 2.0, Security Assertion Markup Language (SAML), and OpenID Connect (OIDC).
First, ask yourself, "Do we need to authenticate with Azure Active Directory?" If you are unsure, you must begin your research!
The first step to eliminate password
The first step toward password elimination is to provide an alternative (hint, primary refresh token).
Identify test users
User acceptance testing is vital to a transition's success. It is impossible for you to know the day-to-day activities of every work persona or how to accurately validate them. You must enlist the assistance of users who match the desired work persona. To make this a success, you only need a few users who fit the profile of the targeted work persona.
Passwordless is the future.