Forum Discussion
Password + Authenticator app MFA notifications vs Passwordless
- I encountered several times a phishing attack where:
- The bad guy got the password of the user (through phishing)
- He tries to authenticate. MFA prompt
- But, the user who got the MFA prompt does not think a validate the notification
And it happens a lot 😞
So in your second scenario, the additional security layer is that you ensure that the person with the telephone is the one who trigger the MFA prompt (because of the 2 digits)
Totally get that and in the early stages of testing a passwordless deployment to a select group of users. With passwordless login via a FIDO2 key, I completely see the security benefits. But what I'm trying to figure out is how passwordless login via the Microsoft Authenticator app is any more secure than using a password and MFA combination via the Microsoft Authenticator app (via a login approval notification). Since both of these options use the Microsoft Authenticator app to deal with the login approval, you don't get the benefits that come with FIDO2. Thus, password + MFA or passwordless...if relying on the Microsoft Authenticator app, I can't see how passwordless is any more secure?
I think passwordless login via the Microsoft Authenticator app is a good "first step" into the passwordless world, but I just don't see how it's any more secure?
When I log into my account with a password + MFA, this is the process...
1. Enter email
2. Enter password
3. Receive sign-in approval notification in the Microsoft Authenticator app
4. I use Touch ID on my iPhone to access the Microsoft Authenticator app
5. Tap approve via the Microsoft Authenticator app notification
When I log into my account passwordless, this is the process...
1. Enter email
2. A 2-digital code is displayed on the screen where I'm trying to log in
3. I enter that 2-digital code into the Microsoft Authenticator app
4. I confirm the login via Touch ID via the Microsoft Authenticator app on my iPhone
So, while I completely understand how a password is the "weak point", with specific regards to Microsoft Authenticator being used in both scenarios (and not a FIDO2 key), how is the passwordless option more secure? What is it about the passwordless option via the Microsoft Authenticator app that makes it more secure?
- The bad guy got the password of the user (through phishing)
- He tries to authenticate. MFA prompt
- But, the user who got the MFA prompt does not think a validate the notification
And it happens a lot 😞
So in your second scenario, the additional security layer is that you ensure that the person with the telephone is the one who trigger the MFA prompt (because of the 2 digits)
- Thanks, this is exactly what I was looking for. As I'd mentioned in the OP, I'm on board with the move to/benefits of passwordless login, I was just trying to figure out, in that specific scenario, what it was that made the passwordless method more secure; but your explanation cleared it up. Thank you.