Blog | 05 May 2022
Securing your path to passwordless authentication: A quick guide to modern sign-on methods
Solution Architect & Technology Evangelist
Passwords are no longer the gold standard for security. Here’s what you need to know about passwordless login and authentication – and how you can use it to strengthen your organisation’s security posture.
It’s a running joke in movies that the protagonist needs to break into a highly secure system to get hold of sensitive information crucial to the plot.
Having exhausted thousands of character combinations, the password is inevitably revealed to be something astonishingly simple, such as ‘name1234’, their date of birth, or even just ‘Password’ (which still sits at number four in the top ten most used passwords of 2022, according to SplashData).
Passwords represent a very real security issue. They’re the focus of most brute force attacks, social engineering, and phishing scams, and – because of their human component – they’re also the easiest and least secure element in any security system.
People tend to use passwords that are easy to remember, and they tend to use the same password over multiple platforms. Not only does this mean that your security is easily compromised, but it can mean that security is compromised wherever that password is used.
Passwords have never been ideal, and Microsoft has invested heavily in making passwordless a reality, reconfiguring Azure AD to offer passwordless login for its users from day one.
In this blog, we’re going to explore passwordless login and authentication; what it is, how secure it is, and how implementing it can improve your security posture and user experience.
What is Microsoft passwordless authentication?
As the name suggests, Microsoft passwordless authentication is a way of verifying a digital identity without the use of traditional passwords. We’ll go over the most common methods that you’ll come across in a bit more detail and look at Microsoft’s offerings in these fields.
Biometric data is unique and can be used to verify your digital identity. The most common of these include facial recognition and fingerprint scanning, though retinal scanning is also used to verify digital identity in cases where extra security is needed.
Signing on with biometric data is very secure, as this data is unique to you and cannot be replicated or brute-forced – though databases where this information is stored can be hacked. But no one else in the world possesses your face, fingerprints, or retinas.
The key Microsoft passwordless tech in the field of biometric sign-ins is Windows Hello/Hello for Business, Microsoft’s security offering for fingerprint and facial recognition sign-in, and is available as standard for users of Windows 10 and up.
PIN entry is another alternative to a password, and contrary to popular belief is often more secure than a password. This is because passwords are stored on a server, whereas PIN numbers are local to the devices they are used on.
Simply put, knowing someone’s PIN number won’t give them remote access to someone’s digital identity. A PIN number is only useful to the person who has direct physical possession of a device.
Furthermore, extra security can be built into a PIN number, such as freezing you out of a device after a set number of failed attempts. Passwords by their very nature are built with some leniency in mind towards forgetting or resetting them.
Combining PIN entry with another form of login can make this even more secure, such as security keys (more on that later).
Users with Windows 10 and 11 can use Windows Hello to configure their devices to allow for passwordless login using PIN entry from their security settings.
There are, broadly speaking, two types of security keys.
Firstly, there are USB keys that you physically plug into your device to verify digital identity, or NFC keys that you would tap against an NFC reader – much like you’d tap your phone against a card reader to pay for your lunch, or tap in and out of various public transport systems.
Security keys offer an incredibly high level of security, as they’re used in conjunction with a PIN or fingerprint. Even if you were to misplace it or have your key stolen, without either the PIN or corresponding fingerprint data, the key is useless.
There are plenty of Microsoft compatible security keys, such as the YubiKeys provided by Yubico (who work in close conjunction with Microsoft), which include additional two-factor authentication (2FA) like a PIN or biometric data.
Magic links allow users to verify their digital identity and login to their account by clicking a link sent to them via email.
It’s very safe, as the link is randomly generated during each login and is often used as a part of a two factor (2FA) or multifactor authentication (MFA) strategy.
Magic logins work using three easy to follow steps.
- The user requests access by entering their email address at the sign-in screen.
- If it’s a registered email address, the user receives an email containing a magic link.
- The user clicks on the magic link in the email and completes the login process.
Alternatively, users can be sent a live link when they register, which is subsequently used for authentication.
This process is fairly similar to how someone would reset a password, where a user receives a secret link via email that allows them to bypass their password and create a new one.
Using Azure AD B2C, it’s possible to set up or configure your accounts to use magic links to verify digital identity for your customer base.
An authenticator app lets you add two-factor authentication (2FA) to accounts you need to protect.
They’re incredibly secure because they are constantly generating new, temporary access codes. Even if a hacker obtains your password, it’s useless without the passcodes generated by 2FA.
These passcodes are continually changing, making it nearly impossible for a hacker to crack the code before a new code is created.
Certain authenticator apps also allow you to use them in conjunction with biometric data such as a fingerprint. They can also enable ‘Push’ notifications, where a notification is sent to an associated mobile device asking you to validate a login by clicking on a notification on your screen.
The Microsoft Authenticator app can use push notifications in conjunction with a phone’s fingerprint scanner or facial recognition to facilitate biometric authentication.
With an account protected by an authenticator app and 2FA, if someone wanted to access your protected account, they’d need both your password, access to your phone in a very short time frame, and/or your biometric data, making the whole process very secure and user friendly.
What are the benefits of passwordless authentication?
Passwordless authentication has many things going for it, but let’s concentrate on a few key areas that demonstrate the strength and utility that going passwordless can have for your organisation.
Firstly, passwordless authentication provides a better user experience; It’s much faster, and you don’t have to remember (or risk forgetting) a password. In one or two simple steps, you have access to your digital identity.
Compare this to password-based authentication. A study commissioned by NordPass found that between 2019 and 2020, the average user has to keep track of 100 passwords – an increase of around 25% on their previous study.
This is obviously a lot to remember, and quite frankly, people don’t. They remember a handful of passwords over several accounts. And if those passwords are forgotten, you have to go through the tedious process of resetting them.
Speaking of resetting passwords, this isn’t just a tedious process for you, but also for your service/IT support desk. According to the Gartner Group, it’s estimated that 20-50% of all IT helpdesk tickets are password queries and resets.
When you then also consider that the average cost of password reset per employee is $70 (according to the 2018 Forrester report) you can see why passwordless authentication is a much more attractive proposition from both a support desk and business interest perspective.
Lastly, and most importantly, moving to passwordless authentication gives your organisation a stronger security posture; 85% of hacking breaches are from brute force or phishing attacks.
Removing one of your organisation’s single biggest vulnerabilities is a no-brainer.
Is Microsoft passwordless safe?
In a word, yes.
Passwordless authentication is much more secure than traditional password-based methods of securing your accounts and verifying your digital identity. Passwords can be stolen, hacked, and more commonly, they are the focus of phishing attacks.
Passwordless logins don’t suffer from these problems. They are extremely difficult to hack, and when combined with 2FA, extremely difficult becomes almost impossible.
You may be able to hack a database where biometric data is stored, but if, for example, biometrics are combined with a physical security key, whilst not ideal, this hack matters far less. A fingerprint becomes useless if you also have to combine it with a physical security key that you don’t have.
With offerings across the entire suite of passwordless login methods like Windows Hello, Microsoft Authenticator, and Microsoft compatible YubiKeys, it’s clear that Microsoft is an industry leader in the field of passwordless authentication.
How to get started with Microsoft passwordless login
One of the first things you’ll need to check before going passwordless on your Microsoft accounts is whether or not you have a compatible version of Windows. Users with Windows 10 and above have access to Microsoft’s passwordless login system, so it’s recommended that you have the latest versions of compatible software on all your devices.
Microsoft “Live” accounts (known as Microsoft Accounts) fully support passwordless, but corporate (Azure AD) accounts provisioned before August 15th 2020 may not have passwordless enabled – so check with your administrator.
Corporate devices can be automatically configured to use passwordless authentication without having to go back to the IT department for any updates – the configuration can be pushed using the internal configuration management software.
Configuring Azure AD for passwordless login
To configure your Azure AD for passwordless, you’ll need to enable ‘combined registration’.
You can enable combined registration by logging into Azure AD using a global administrator account. This is typically the person who signs up for Azure AD in your organisation, but there can be up to five global admin accounts (it isn’t recommended to have any more than that).
- Firstly, you’ll need to log in to Azure AD, which you can do here.
- Next, click on ‘Azure Active Directory’ under ‘Favourites’ on the left of the portal window.
- In the Azure AD pane, you’ll need to scroll down the list of options on the left, and click ‘Security’ under Manage.
- Once you’re in the Security pane, you’ll need to click ‘Authentication methods’ below ‘Manage’ in the list of options on the left.
- At the top of the ‘Authentication methods’ pane, click on ‘Click here to enable users for the combined security info registration experience’.
- Finally, in the ‘User feature previews’ pane, set ‘Users can use the combined security information registration experience’ to ‘All’, and then click ‘Save’.
Downloading the Microsoft Authenticator App
Next, you’ll want to download the Microsoft Authenticator app.
- You can find it in Apple’s App Store, Google’s Play Store, or by downloading it directly from Microsoft.
- Once downloaded, follow the prompts and set up your account.
- Once you’re set up, sign in to your ‘Microsoft Account Additional security options’.
- Under ‘Password-free account’, select ‘Turn on’ and follow the prompts to verify your account.
- A request for approval will then be sent to your Microsoft Authenticator app.
- Once approved, you’re ready to set up the passwordless login methods of your choosing.
- Passwords aren’t as safe as they used to be. They’re the focus of phishing and brute force attacks and often the weakest link in the security chain.
- Passwordless login is more secure. Data can’t easily be spoofed, and physical keys are combined with 2FA, making a simple theft or loss no real problem.
- The user experience is also a better one; it’s speedier and more streamlined, with either one or two steps to authenticating your user identity.
- Passwordless login is also more cost-effective. User password resets cost an average of $70 a user and takes up precious IT/Helpdesk time that could be spent elsewhere.
- All in all, passwordless login is the future of authenticating your digital identity and securing your sensitive data. It’s faster, more streamlined, more secure, and easier to use.
- For a more detailed understanding of passwordless logins, view our on-demand webinar ‘a guide to deploying passwordless authentication’.
- Want to strengthen your organisations’ overall security posture? Get our complete guide to enterprise security.
- Thinking of using a managed security services partner for your organisation? Get our free guide to helping you choose the very best one for your needs.
Ready to ‘Become greater’?
When you sign up to our mailing list, you’ll get the best content, expert resources, and exclusive event invites sent directly to your inbox.
David Guest is Kocho’s Solution Architect & Technology Evangelist. He’s responsible for developing identity, Microsoft 365 security, and other cloud service solutions – and keeping our clients abreast of the latest technology trends.
Latest blog articles
Azure AD B2B vs B2C: What are the key differences between Microsoft’s external access products?
The definitive guide to Azure AD: Everything you need to know
Securing your path to passwordless authentication: A quick guide to modern sign-on methods
The definitive guide to Microsoft Sentinel: Everything you need to know to get started with Microsoft’s cloud SIEM
We’re here to help you on your journey towards becoming greater. Get in touch to find out how.