Forum Discussion
Password + Authenticator app MFA notifications vs Passwordless
- I encountered several times a phishing attack where:
- The bad guy got the password of the user (through phishing)
- He tries to authenticate. MFA prompt
- But, the user who got the MFA prompt does not think a validate the notification
And it happens a lot 😞
So in your second scenario, the additional security layer is that you ensure that the person with the telephone is the one who trigger the MFA prompt (because of the 2 digits)
kmalingpasswordless login (via Authenticator app) is the way to go, passwords are the weak point of login.
Passwordless as a solution was designed as a way to be rid of the vulnerability of passwords.
Totally get that and in the early stages of testing a passwordless deployment to a select group of users. With passwordless login via a FIDO2 key, I completely see the security benefits. But what I'm trying to figure out is how passwordless login via the Microsoft Authenticator app is any more secure than using a password and MFA combination via the Microsoft Authenticator app (via a login approval notification). Since both of these options use the Microsoft Authenticator app to deal with the login approval, you don't get the benefits that come with FIDO2. Thus, password + MFA or passwordless...if relying on the Microsoft Authenticator app, I can't see how passwordless is any more secure?
I think passwordless login via the Microsoft Authenticator app is a good "first step" into the passwordless world, but I just don't see how it's any more secure?
When I log into my account with a password + MFA, this is the process...
1. Enter email
2. Enter password
3. Receive sign-in approval notification in the Microsoft Authenticator app
4. I use Touch ID on my iPhone to access the Microsoft Authenticator app
5. Tap approve via the Microsoft Authenticator app notification
When I log into my account passwordless, this is the process...
1. Enter email
2. A 2-digital code is displayed on the screen where I'm trying to log in
3. I enter that 2-digital code into the Microsoft Authenticator app
4. I confirm the login via Touch ID via the Microsoft Authenticator app on my iPhone
So, while I completely understand how a password is the "weak point", with specific regards to Microsoft Authenticator being used in both scenarios (and not a FIDO2 key), how is the passwordless option more secure? What is it about the passwordless option via the Microsoft Authenticator app that makes it more secure?
- I encountered several times a phishing attack where:
- The bad guy got the password of the user (through phishing)
- He tries to authenticate. MFA prompt
- But, the user who got the MFA prompt does not think a validate the notification
And it happens a lot 😞
So in your second scenario, the additional security layer is that you ensure that the person with the telephone is the one who trigger the MFA prompt (because of the 2 digits)- Thanks, this is exactly what I was looking for. As I'd mentioned in the OP, I'm on board with the move to/benefits of passwordless login, I was just trying to figure out, in that specific scenario, what it was that made the passwordless method more secure; but your explanation cleared it up. Thank you.
- With regarding your statement regarding using a username and password:
The reason why this isn't preferred is that passwords are being leaked and can be brute-forced.
The maxim concern is, use two-factor authentication with two factors configured. The most secure design is to you use as a factor something you know and something you have. So in the case of a Windows Hello for Business scenario, you could think of a pin-code and a FIDO2 security key. Even go further, use the camera as the first factor, and FIDO2 as a second factor.
Apart from the above scenario you mention (because more designs and configurations are possible), I don't say that the above isn't insecure. But I'm trying to explain why you should choose passwordless over username + password with MFA.
