Forum Discussion
Solved
Secure Registration and TAP with a password-less CA baseline
Hi All, I've been looking further at password-less in an Azure AD tenant and if it can be set as a baseline CA requirement for access to tenant resources. Access via CA policies appears to work ...
- If you enforce Passwordless (authentication strength) as you've noticed you might need to add TAP as an additional method in that policy. Let's consider the scenario: existing user, new phone.
It's a bit clunky today since you will need TAP for getting the user into Security Info first (to register method), and then provide TAP yet again when you "Enable Phone-Sign in" in the new mobile. You could use the same TAP there if you set it to not require one-time use and then scope it to 1 hour for example. I have an example authenticator scenario you can compare with: https://simonhakansson.com/passwordless-authenticator-configuration-ddb0fa70d32f
Keep in mind that TAP is considered stronger than the other available MFA methods (https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-system-preferred-multifactor-authentication#how-does-system-preferred-mfa-determine-the-most-secure-method) , so it should be handled with care.
I expect the Passwordless registration-flow to become a bit more user friendly in the future, ideally you would want "Enable Phone-sign in" to be automatic in some way, at least for MDM-enrolled phones in my opinion.
If you enforce Passwordless (authentication strength) as you've noticed you might need to add TAP as an additional method in that policy. Let's consider the scenario: existing user, new phone.
It's a bit clunky today since you will need TAP for getting the user into Security Info first (to register method), and then provide TAP yet again when you "Enable Phone-Sign in" in the new mobile. You could use the same TAP there if you set it to not require one-time use and then scope it to 1 hour for example. I have an example authenticator scenario you can compare with: https://simonhakansson.com/passwordless-authenticator-configuration-ddb0fa70d32f
Keep in mind that TAP is considered stronger than the other available MFA methods (https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-system-preferred-multifactor-authentication#how-does-system-preferred-mfa-determine-the-most-secure-method) , so it should be handled with care.
I expect the Passwordless registration-flow to become a bit more user friendly in the future, ideally you would want "Enable Phone-sign in" to be automatic in some way, at least for MDM-enrolled phones in my opinion.
It's a bit clunky today since you will need TAP for getting the user into Security Info first (to register method), and then provide TAP yet again when you "Enable Phone-Sign in" in the new mobile. You could use the same TAP there if you set it to not require one-time use and then scope it to 1 hour for example. I have an example authenticator scenario you can compare with: https://simonhakansson.com/passwordless-authenticator-configuration-ddb0fa70d32f
Keep in mind that TAP is considered stronger than the other available MFA methods (https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-system-preferred-multifactor-authentication#how-does-system-preferred-mfa-determine-the-most-secure-method) , so it should be handled with care.
I expect the Passwordless registration-flow to become a bit more user friendly in the future, ideally you would want "Enable Phone-sign in" to be automatic in some way, at least for MDM-enrolled phones in my opinion.
0fflinedocs Thanks appreciate your insight too!
I'll test out your process today, see if I can address the challenge.