User Profile
kmaling
Copper Contributor
Joined 5 years ago
User Widgets
Recent Discussions
Password + Authenticator app MFA notifications vs Passwordless
When relying on the MS Authenticator app (without access to a FIDO2 key) as part of the authentication process, is there any security-based benefit in going from logging in via a password + MFA (via Authenticator app notifications) to passwordless login (via Authenticator app)? Or, because both options reply on the Authenticator app (not FIDO2), or are they equally secure, but passwordless login being more convenient for the end user?SolvedRe: Password + Authenticator app MFA notifications vs Passwordless
Thanks, this is exactly what I was looking for. As I'd mentioned in the OP, I'm on board with the move to/benefits of passwordless login, I was just trying to figure out, in that specific scenario, what it was that made the passwordless method more secure; but your explanation cleared it up. Thank you.6KViews0likes0CommentsRe: Password + Authenticator app MFA notifications vs Passwordless
SafeAsHouses Totally get that and in the early stages of testing a passwordless deployment to a select group of users. With passwordless login via a FIDO2 key, I completely see the security benefits. But what I'm trying to figure out is how passwordless login via the Microsoft Authenticator app is any more secure than using a password and MFA combination via the Microsoft Authenticator app (via a login approval notification). Since both of these options use the Microsoft Authenticator app to deal with the login approval, you don't get the benefits that come with FIDO2. Thus, password + MFA or passwordless...if relying on the Microsoft Authenticator app, I can't see how passwordless is any more secure? I think passwordless login via the Microsoft Authenticator app is a good "first step" into the passwordless world, but I just don't see how it's any more secure? When I log into my account with a password + MFA, this is the process... 1. Enter email 2. Enter password 3. Receive sign-in approval notification in the Microsoft Authenticator app 4. I use Touch ID on my iPhone to access the Microsoft Authenticator app 5. Tap approve via the Microsoft Authenticator app notification When I log into my account passwordless, this is the process... 1. Enter email 2. A 2-digital code is displayed on the screen where I'm trying to log in 3. I enter that 2-digital code into the Microsoft Authenticator app 4. I confirm the login via Touch ID via the Microsoft Authenticator app on my iPhone So, while I completely understand how a password is the "weak point", with specific regards to Microsoft Authenticator being used in both scenarios (and not a FIDO2 key), how is the passwordless option more secure? What is it about the passwordless option via the Microsoft Authenticator app that makes it more secure?6.1KViews0likes3Comments
Recent Blog Articles
No content to show