Having a strong defense against data threats is of the utmost importance for any organization. While it’s great to be able to invest in a dedicated security team that focuses on monitoring every data flow and possible risk, 1) this isn’t feasible for every organization and 2) the duty of protecting against data threats should not fall solely on the shoulders of a security team or IT administrators.
Currently, multi-factor authentication is one of the most popular approaches for lowering the risk of security breaches. Combining passwords with one-time passcodes (OTP), texts, calls, and biometrics, can surely reduce attacks by 99.9% as claimed by Microsoft.
However, Microsoft has been continuously developing methods that’re more convenient for users and even better than multi-factor authentication. They believe that passwords should be a thing of the past as technology progresses forward. This culminated at the most recent Ignite conference where Microsoft finally announced a new way to validate users: passwordless authentication in Azure Active Directory. In this post, let’s see how you can enable this new technology in your organization and why it’s so beneficial.
Why Go Passwordless?
Before we get into how you can start your passwordless journey, here’s a graph that illustrates Microsoft’s stance on passwordless authentication vs. passwords and two-factor authentication:
Microsoft believes that passwords are a gateway for hackers to easily penetrate your account since they can be guessed. From the above image, we can see that while multi-factor authentication is indeed secure, it’s also quite inconvenient for users. Passwords can easily be forgotten, and scrambling to reach for one’s phone in the middle of work can be a hassle. On the other hand, passwordless authentication is both secure and convenient, not just for users but also for IT admins as this will reduce the time spent resetting lost passwords. Here are some of the benefits of passwordless authentication:
- Increased Security: The risk of phishing and other attacks is reduced by removing passwords as an entry point for hackers.
- Better user experience: A convenient way for users to access their data anywhere while still doing so in a secure manner.
- Powerful insight: Admins can gather users’ passwordless activity with robust auditing and logging capabilities.
How Can I Enable Passwordless Authentication?
There are three methods for Microsoft’s passwordless authentication. Each can cover a specific need and can also be used in tandem.
1. Windows Hello for Business
This method is best for users with dedicated Windows computers. It allows computer sign-in with biometric recognition such as face and fingerprints or a PIN that isn’t transmitted into a network for security purposes. See more about this method and its prerequisites for deployment on this page.
2. Security Key Sign-in With Fido (Fast Identity Online) Security Keys
This is best for users who sign in to a shared machine, work somewhere where phones are restricted, or work for highly privileged identities. FIDO security keys are USB devices inserted into a machine for biometric and PIN authentication. Reference this documentation to learn how you can enable your security keys.
3. Microsoft Authenticator App
Unlike the first two methods, using the Authenticator app gives both security and convenience without investing much into external hardware since it can be installed on any mobile device. The app allows users to sign in to any platform by matching a number displayed on the screen to the one sent to the app before using a biometric method and/or PIN to confirm. If your organization isn’t already using the Authenticator app, learn more here.
Undeniably, passwordless authentication is a gift in terms of convenience for users and security for organizations. However, before jumping into this new secure world, you need to consider your business needs and carefully calculate what would be the best method for you and for your users. Openly communicate with them, explain how this new service works, and be prepared to provide support when issues arise. Whether you’re ready now or down the line, passwordless authentication is here and is primed to elevate our authentication experience.