Forum Discussion
Password + Authenticator app MFA notifications vs Passwordless
- I encountered several times a phishing attack where:
- The bad guy got the password of the user (through phishing)
- He tries to authenticate. MFA prompt
- But, the user who got the MFA prompt does not think a validate the notification
And it happens a lot 😞
So in your second scenario, the additional security layer is that you ensure that the person with the telephone is the one who trigger the MFA prompt (because of the 2 digits)
Totally get that and in the early stages of testing a passwordless deployment to a select group of users. With passwordless login via a FIDO2 key, I completely see the security benefits. But what I'm trying to figure out is how passwordless login via the Microsoft Authenticator app is any more secure than using a password and MFA combination via the Microsoft Authenticator app (via a login approval notification). Since both of these options use the Microsoft Authenticator app to deal with the login approval, you don't get the benefits that come with FIDO2. Thus, password + MFA or passwordless...if relying on the Microsoft Authenticator app, I can't see how passwordless is any more secure?
I think passwordless login via the Microsoft Authenticator app is a good "first step" into the passwordless world, but I just don't see how it's any more secure?
When I log into my account with a password + MFA, this is the process...
1. Enter email
2. Enter password
3. Receive sign-in approval notification in the Microsoft Authenticator app
4. I use Touch ID on my iPhone to access the Microsoft Authenticator app
5. Tap approve via the Microsoft Authenticator app notification
When I log into my account passwordless, this is the process...
1. Enter email
2. A 2-digital code is displayed on the screen where I'm trying to log in
3. I enter that 2-digital code into the Microsoft Authenticator app
4. I confirm the login via Touch ID via the Microsoft Authenticator app on my iPhone
So, while I completely understand how a password is the "weak point", with specific regards to Microsoft Authenticator being used in both scenarios (and not a FIDO2 key), how is the passwordless option more secure? What is it about the passwordless option via the Microsoft Authenticator app that makes it more secure?
The reason why this isn't preferred is that passwords are being leaked and can be brute-forced.
The maxim concern is, use two-factor authentication with two factors configured. The most secure design is to you use as a factor something you know and something you have. So in the case of a Windows Hello for Business scenario, you could think of a pin-code and a FIDO2 security key. Even go further, use the camera as the first factor, and FIDO2 as a second factor.
Apart from the above scenario you mention (because more designs and configurations are possible), I don't say that the above isn't insecure. But I'm trying to explain why you should choose passwordless over username + password with MFA.