Lior_Bela Neil-Johnson : Like many, I'm thrilled that Platform SSO (PSSO) is here and offers an option to eliminate what is arguably the largest "thorn in our sides" for supporting Macs. This is a great milestone so kudos to everyone involved and all the testers.
I have a few questions for you to help demystify a couple of things:
First, in the post above you say:
Lior_Bela wrote:
This means that organizations can enable phishing-resistant, hardware-bound, passwordless authentication on Mac through Intune.
Can you explain how this is "passwordless authentication"? If an organization goes down the Secure Enclave route, they're still in a situation where a user continues to have two passwords:
- In Windows
- We have just the one [Entra ID] password for both logging in to the machine and accessing services where Azure is the Identity Provider (IdP)
- We have Windows Hello for Business (WHfB) and at a minimum we can setup a PIN or go as far as enrolling our biometrics both of which are great for getting logged into the machine without a password post reboot and any other areas where user auth is required.
- On macOS
- There are two passwords:
- One local password to get logged into the Mac
- One for the Entra ID account
- There is no WHfB equivalent, and even though we can setup Touch ID after a restart one is forced to enter their local Mac a password, even if they setup Touch ID.
- One they're logged in they can use Touch ID but they still need to know that local Mac password
Second, if you're suggesting that we're meant to treat the local Mac password as a PIN, what are organizations, who have password policies governing length, complexity etc. supposed to do? Are you advocating for organizations to relax those password policies so people can truly setup PINs?
Finally, the video above is for the password authentication process which is phenomenal and exactly what people have been wanting. But the documentation, and feedback from other Microsoft and MVP's is not to use Password authentication but Secure Enclave. Why draw attention to and show something that is not recommended? Is this an "art of the possible" flex?