Passwordless Authentication and Azure AD

Usernames and passwords have been the primary authentication method since the early days of IT.  Technology has changed significantly, and the use of usernames and passwords has become problematic.  Usernames are easily guessed, and passwords are harvested with phishing attempts.  To compound the situation, users have an array of usernames and passwords to manage.  Frequently, they use the same credentials for multiple sites. Thus, putting their credentials at risk when used with less secure web sites.

Multi-factor authentication (MFA) mitigates the risk of a single factor, username, and password authentication requirements.  An authentication factor refers to something the user knows, such as a password or PIN, something they are, such as fingerprint or face scan, or something they have, such as a smart card or cell phone.  Unlike passwords, biometrics and physical devices are considered unharvestable and not susceptible to phishing attempts.

While multi-factor authentication can significantly increase security, there are some drawbacks.  Two-factor authentication can be inconvenient.   Users are required to use a low-security password along with a second, high-security factor.  The password adds minimal value to securing the users’ account.  Passwordless authentication is a secure alternative to MFA.  Passwordless authentication removes the weaker security action, the password, while leaving in place a stronger authentication method.  

Every organization has different authentication requirements driven by company or industry best practices.  In many cases, multiple factors are required for logging in.    Although passwordless authentication removes the password, multiple factors are still required to authenticate.  These include something the user has, such as a Windows 10 or 11 client device, a mobile phone, or security key and something the user is or knows, such as biometric or PIN.  Passwordless authentication provides high security and convenience to the end-users.

Azure AD integrates with three passwordless authentication options: Windows Hello for Business, Microsoft Authenticator App, and FIDO2 security keys.  The following information is an overview of each option.

Windows Hello for Business

Windows Hello for Business leverages the TPM chip available on most laptops. It is a good option for users that have a dedicated computer.  Public and private key pairs secure the log-in process.  The certificate is bound to the computer, meaning it’s unphishable and cannot be used to log in from another device.  To authenticate, the log-in process uses something the user has, the laptop with the private certificate, along with a PIN or biometrics gesture.

Microsoft Authenticator App

Many organizations already use the Microsoft Authenticator App for MFA.  The app can also be used for passwordless authentication.  The Microsoft Authenticator App leverages key-based authentication with credentials tied to the mobile device.  A user is asked to match a number on the log-in screen to multiple numbers displayed in the app at sign-in.  After that, the user is prompted for a biometric or PIN for the second factor before log-in is complete.

Security Key

There are environments where Windows Hello or the Microsoft Authenticator app is not an option.  This could include legal requirements or regulated environments where organizations can’t require employees to use personal devices for work.  Azure AD supports Fast Identity Online (FIDO2) security keys for passwordless authentication.   A security key is an inexpensive option for passwordless authentication that does not require a mobile device.  A FIDO2 key is a small USB device that also commonly supports NFC.  Azure AD compliant FIDO2 security keys require a client PIN. The security key and PIN combine for a strong, passwordless multi-factor log-in experience.

Windows Hello, Microsoft Authenticator, and FIDO2 security keys, are good options for passwordless authentication.  All three are supported with Azure AD with little administrator overhead.  They provide users a convenient way to securely log in while nearly removing the potential for leaked or phished credentials.