Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Password + Authenticator app MFA notifications vs Passwordless

Copper Contributor

When relying on the MS Authenticator app (without access to a FIDO2 key) as part of the authentication process, is there any security-based benefit in going from logging in via a password + MFA (via Authenticator app notifications) to passwordless login (via Authenticator app)? Or, because both options reply on the Authenticator app (not FIDO2), or are they equally secure, but passwordless login being more convenient for the end user?

5 Replies

@kmalingpasswordless login (via Authenticator app) is the way to go, passwords are the weak point of login.

 

Passwordless as a solution was designed as a way to be rid of the vulnerability of passwords.

@SafeAsHouses

 

Totally get that and in the early stages of testing a passwordless deployment to a select group of users. With passwordless login via a FIDO2 key, I completely see the security benefits. But what I'm trying to figure out is how passwordless login via the Microsoft Authenticator app is any more secure than using a password and MFA combination via the Microsoft Authenticator app (via a login approval notification). Since both of these options use the Microsoft Authenticator app to deal with the login approval, you don't get the benefits that come with FIDO2. Thus, password + MFA or passwordless...if relying on the Microsoft Authenticator app, I can't see how passwordless is any more secure?

 

I think passwordless login via the Microsoft Authenticator app is a good "first step" into the passwordless world, but I just don't see how it's any more secure?

 

When I log into my account with a password + MFA, this is the process...

 

1. Enter email

2. Enter password

3. Receive sign-in approval notification in the Microsoft Authenticator app

4. I use Touch ID on my iPhone to access the Microsoft Authenticator app

5. Tap approve via the Microsoft Authenticator app notification

 

When I log into my account passwordless, this is the process...

 

1. Enter email

2. A 2-digital code is displayed on the screen where I'm trying to log in

3. I enter that 2-digital code into the Microsoft Authenticator app

4. I confirm the login via Touch ID via the Microsoft Authenticator app on my iPhone

 

So, while I completely understand how a password is the "weak point", with specific regards to Microsoft Authenticator being used in both scenarios (and not a FIDO2 key), how is the passwordless option more secure? What is it about the passwordless option via the Microsoft Authenticator app that makes it more secure?

best response confirmed by kmaling (Copper Contributor)
Solution
I encountered several times a phishing attack where:
- The bad guy got the password of the user (through phishing)
- He tries to authenticate. MFA prompt
- But, the user who got the MFA prompt does not think a validate the notification
And it happens a lot :(

So in your second scenario, the additional security layer is that you ensure that the person with the telephone is the one who trigger the MFA prompt (because of the 2 digits)
With regarding your statement regarding using a username and password:
The reason why this isn't preferred is that passwords are being leaked and can be brute-forced.

The maxim concern is, use two-factor authentication with two factors configured. The most secure design is to you use as a factor something you know and something you have. So in the case of a Windows Hello for Business scenario, you could think of a pin-code and a FIDO2 security key. Even go further, use the camera as the first factor, and FIDO2 as a second factor.

Apart from the above scenario you mention (because more designs and configurations are possible), I don't say that the above isn't insecure. But I'm trying to explain why you should choose passwordless over username + password with MFA.
Thanks, this is exactly what I was looking for. As I'd mentioned in the OP, I'm on board with the move to/benefits of passwordless login, I was just trying to figure out, in that specific scenario, what it was that made the passwordless method more secure; but your explanation cleared it up. Thank you.
1 best response

Accepted Solutions
best response confirmed by kmaling (Copper Contributor)
Solution
I encountered several times a phishing attack where:
- The bad guy got the password of the user (through phishing)
- He tries to authenticate. MFA prompt
- But, the user who got the MFA prompt does not think a validate the notification
And it happens a lot :(

So in your second scenario, the additional security layer is that you ensure that the person with the telephone is the one who trigger the MFA prompt (because of the 2 digits)

View solution in original post