Forum Discussion
Password + Authenticator app MFA notifications vs Passwordless
When relying on the MS Authenticator app (without access to a FIDO2 key) as part of the authentication process, is there any security-based benefit in going from logging in via a password + MFA (via Authenticator app notifications) to passwordless login (via Authenticator app)? Or, because both options reply on the Authenticator app (not FIDO2), or are they equally secure, but passwordless login being more convenient for the end user?
- I encountered several times a phishing attack where:
- The bad guy got the password of the user (through phishing)
- He tries to authenticate. MFA prompt
- But, the user who got the MFA prompt does not think a validate the notification
And it happens a lot 😞
So in your second scenario, the additional security layer is that you ensure that the person with the telephone is the one who trigger the MFA prompt (because of the 2 digits)
kmalingpasswordless login (via Authenticator app) is the way to go, passwords are the weak point of login.
Passwordless as a solution was designed as a way to be rid of the vulnerability of passwords.
Totally get that and in the early stages of testing a passwordless deployment to a select group of users. With passwordless login via a FIDO2 key, I completely see the security benefits. But what I'm trying to figure out is how passwordless login via the Microsoft Authenticator app is any more secure than using a password and MFA combination via the Microsoft Authenticator app (via a login approval notification). Since both of these options use the Microsoft Authenticator app to deal with the login approval, you don't get the benefits that come with FIDO2. Thus, password + MFA or passwordless...if relying on the Microsoft Authenticator app, I can't see how passwordless is any more secure?
I think passwordless login via the Microsoft Authenticator app is a good "first step" into the passwordless world, but I just don't see how it's any more secure?
When I log into my account with a password + MFA, this is the process...
1. Enter email
2. Enter password
3. Receive sign-in approval notification in the Microsoft Authenticator app
4. I use Touch ID on my iPhone to access the Microsoft Authenticator app
5. Tap approve via the Microsoft Authenticator app notification
When I log into my account passwordless, this is the process...
1. Enter email
2. A 2-digital code is displayed on the screen where I'm trying to log in
3. I enter that 2-digital code into the Microsoft Authenticator app
4. I confirm the login via Touch ID via the Microsoft Authenticator app on my iPhone
So, while I completely understand how a password is the "weak point", with specific regards to Microsoft Authenticator being used in both scenarios (and not a FIDO2 key), how is the passwordless option more secure? What is it about the passwordless option via the Microsoft Authenticator app that makes it more secure?
- I encountered several times a phishing attack where:
- The bad guy got the password of the user (through phishing)
- He tries to authenticate. MFA prompt
- But, the user who got the MFA prompt does not think a validate the notification
And it happens a lot 😞
So in your second scenario, the additional security layer is that you ensure that the person with the telephone is the one who trigger the MFA prompt (because of the 2 digits)
