Passwordless Authentication – Security and convenience with Azure AD

Passwordless Authentication – Security and convenience with Azure AD

With 4 in 10 UK businesses reporting security breaches in the last 12 months it can be difficult to keep up with the best methods of protecting your business and its data. One of the ‘easiest’ methods of keeping hackers out are long, complex passwords. Although this is simple in theory, in practice it can be difficult to remember a new complex password for each application, not to mention there is still the risk of replay or phishing attacks. This difficulty may explain why the most common password is still ‘123456’. Multi-factor authentication has definitely improved security, regardless of the complexity of a password, but it has come at the cost of convenience. For passwords, it may seem like security and convenience are mutually exclusive terms, but with the advent of passwordless authentication both are now possible.

The term ‘passwordless authentication’ sounds like a security nightmare, however through innovations in biometrics, identity protection and the FIDO alliance, it is now easier and more secure than ever. With phishing being the most common form of attack vector for cybersecurity incidents, passwordless authentication makes these attacks impossible as there is not a password to phish. The security benefits alone make this method of authentication an attractive option for businesses, however it is also more convenient to no longer require a password. Gone are the days of forgetting a password, writing it down on a sticky note or having to change it every 6 weeks.

There are three methods of passwordless authentication that can be easily deployed in Azure Active Directory that suit a wide range of business requirements, a short summary of each is provided below.

Windows Hello for Business

Windows Hello for Business is an option that utilises two-factor authentication with a PIN and biometric authentication. If this option is deployed when a user reaches a login screen, they are promoted to enter their PIN and can either scan their fingerprint or use facial recognition to gain access. The PIN rules can be set by an administrator for the minimum and maximum length and what requirements it must have. The biometrics can be either a fingerprint or facial recognition depending on the hardware and user’s preference. This option works by using a public/private key pair where the biometrics is stored on the local device and is never sent to another device or server making it impossible for a potential hacker to steal biometric information.

This method is more secure and convenient than a traditional password as it uses multifactor authentication, and the biometric authentication only requires the user to touch a sensor or look into their camera.

Microsoft Authenticator App

The Microsoft Authenticator app is another method of passwordless authentication that uses either biometrics or a PIN, similar to Windows Hello for Business. This option requires users to have the Microsoft Authenticator app installed on in their Android or IOS device. When the user reaches the login screen and enters their username a push notification will be sent to their phone, opening the Microsoft Authenticator app. They then enter either a PIN or use their phone’s native biometric features and Azure AD performs a public/private key validation and the user is automatically logged in. This method is user friendly, secure, and easy to deploy in Azure AD as many users already use the Microsoft Authenticator app.

FIDO2 Security Keys

FIDO (Fast IDentity Online) Alliance aims to promote open authentication standards and reduce the use of traditional passwords as the main form of authentication. FIDO2 security keys are unphishable and come in many form factors, allowing the user to sign into resources without a username or password, using an external security key. This option is similar to how a key works for a house or car, where you must physically have the security key to gain access to a system or resource. The security key is typically a USB device, but can also be Bluetooth or NFC from a phone. When a user reaches a login screen they only need to select ‘Sign in with a security key’ and plug in their FIDO2 security key and Azure AD will perform a public/private key validation and they will be granted access. This option is perfect for businesses that are particularly security sensitive or have employees that would rather not use biometrics or their phone for authentication.

The advent of passwordless authentication streamlines user experience whilst greatly increasing security. With multiple options for simple integration with Azure AD, make forgotten passwords and phishing attacks a thing of the past. If you want to find out more on which passwordless authentication solution is best for you, get in touch today.