Home
Microsoft

No resetting passwords at 2am - welcome to password-less authentication!

When a senior executive rings the helpdesk on-call number at 2am, you blearily log in and reset their password. They could be travelling, or just working really late on an important deadline. And despite having educated everybody a number of times on good password habits, now is not the time to have that conversation with them, again.

As we've moved more resources to the Cloud, or we're allowing access to on-premises resources from Bring Your Own Devices or company-owned mobile devices, identity becomes an important weapon for securing those resources. We no longer have the blockers that you physically have to get in to the company premises and sit down at a corporate machine, to be able to attempt a log-in. In fact, over 82% of security breaches are caused by stolen passwords.

So what do we do? Put in more hurdles for our users to jump over to prove who they are? There's a tipping point there where we'll impact productivity and our users will actively work around these - storing passwords insecurely, sharing passwords between users or using the same password across multiple services. We need to find a method that strengthens security without adding more friction to the user's experience.

Enter the sleep protector - password-less authentication!

It's easy to think of that as just biometrics, with the Windows Hello service recognising your face or fingerprint. But at Microsoft Ignite, Joy Chik (Corporate Vice President of Identity at Microsoft) demonstrated an office.com login with a one time number, verified inside the Microsoft Authenticator app and authorised with your fingerprint. This removes the need for your PC or Mac to also have a fingerprint reader, but uses the strong combination of both something you have (your smartphone) and something you are (your fingerprint, verified by your smartphone). Yes - that's removed the something you know part (also known as something you can forget at 2am if you are a senior exec).



The fun doesn't stop with just Microsoft apps, as Azure Active Directory powers authentication into hundreds of thousands of third-party apps, including SaaS apps, line of business applications and web apps. I had to fact check that one because I couldn't believe it at first, but it's true! And, we're actively working with leaders in the industry on FIDO 2.0 standards to support even more third party security devices, like hardware security keys.

Steps to get started:

  • Enable Multi Factor Authentication in Azure AD
  • Roll out Microsoft Authenticator app (or download from app store)
  • Add the AuthenticatorAppSignInPolicy to your tenant (via PowerShell for now while in Public Preview)
  • Enable phone sign-in on your authenticator app

 

If you're not yet ready to try the public preview of these password-less features, at least turn on Multi Factor Authentication. Without MFA protecting your organization, Joy Chik compares it to "driving without a seatbelt."

I can hear the complaints now though - MFA is too annoying for our users! So enter ... Conditional Access! Another great Azure AD feature, this lets you tweak when MFA is asked for, based on certain conditions. For example, set a policy so if the device has an IP address on your corporate network, then MFA is not required.

Explore password-less authentication with the Microsoft Authenticator app, in public preview today (for Azure AD accounts), and let your on-call helpdesk sleep through the night.

Resources:
Download the Azure Active Directory Multi-factor Deployment Plan

Documentation:
Password-less strategy
Password-less phone sign-in with the Microsoft Authenticator app (public preview)
Windows Hello for Business

Related Microsoft Ignite sessions:
THR2355 - A world without passwords
THR2148 - Experiences with going password-less
THR3048 - Credential protection in the password-less era
BRK3031 - Getting to a world without passwords


-SCuffy

@SoniaCuff

2 Comments
Occasional Visitor

Any luck getting this working:

https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/10072839-allow-the-user-...

 

Secure Score suggests to reduce the number of GA, this increases the number!

Microsoft

@Anthony Cotton still being looked into. The team will share further details when it becomes available.