Oct 13 2021
- last edited on
Jan 14 2022
When relying on the MS Authenticator app (without access to a FIDO2 key) as part of the authentication process, is there any security-based benefit in going from logging in via a password + MFA (via Authenticator app notifications) to passwordless login (via Authenticator app)? Or, because both options reply on the Authenticator app (not FIDO2), or are they equally secure, but passwordless login being more convenient for the end user?
Oct 13 2021 12:00 PM
@kmalingpasswordless login (via Authenticator app) is the way to go, passwords are the weak point of login.
Passwordless as a solution was designed as a way to be rid of the vulnerability of passwords.
Oct 13 2021 01:20 PM
Totally get that and in the early stages of testing a passwordless deployment to a select group of users. With passwordless login via a FIDO2 key, I completely see the security benefits. But what I'm trying to figure out is how passwordless login via the Microsoft Authenticator app is any more secure than using a password and MFA combination via the Microsoft Authenticator app (via a login approval notification). Since both of these options use the Microsoft Authenticator app to deal with the login approval, you don't get the benefits that come with FIDO2. Thus, password + MFA or passwordless...if relying on the Microsoft Authenticator app, I can't see how passwordless is any more secure?
I think passwordless login via the Microsoft Authenticator app is a good "first step" into the passwordless world, but I just don't see how it's any more secure?
When I log into my account with a password + MFA, this is the process...
1. Enter email
2. Enter password
3. Receive sign-in approval notification in the Microsoft Authenticator app
4. I use Touch ID on my iPhone to access the Microsoft Authenticator app
5. Tap approve via the Microsoft Authenticator app notification
When I log into my account passwordless, this is the process...
1. Enter email
2. A 2-digital code is displayed on the screen where I'm trying to log in
3. I enter that 2-digital code into the Microsoft Authenticator app
4. I confirm the login via Touch ID via the Microsoft Authenticator app on my iPhone
So, while I completely understand how a password is the "weak point", with specific regards to Microsoft Authenticator being used in both scenarios (and not a FIDO2 key), how is the passwordless option more secure? What is it about the passwordless option via the Microsoft Authenticator app that makes it more secure?
Oct 14 2021 12:24 AMSolution
Oct 14 2021 12:30 AM
Oct 14 2021 05:31 AM