What is Passwordless Authentication?
Passwordless authentication is a method whereby users access an app, device, or IT system without entering passwords or any security answers. It is the most effective way to reduce risky password management practices and prevent credential-theft attacks. Instead of entering passwords, users provide some other proof of their identities like fingerprints, face scanning, or hardware token code.
What authentication and verification methods are available in Azure Active Directory?
In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN.
The Microsoft Authenticator app provides an additional level of security to your Azure AD work or school account or your Microsoft account and is available for Android and iOS. With the Microsoft Authenticator app, users can authenticate in a passwordless way during sign-in, or as an additional verification option during self-service password reset (SSPR) or multifactor authentication events.
FIDO2 Security Key
The FIDO (Fast IDentity Online) Alliance helps to promote open authentication standards and reduce the use of passwords as a form of authentication. FIDO2 is the latest standard that incorporates the web authentication (WebAuthn) standard.
Certificate-based Authentication
Azure AD certificate-based authentication (CBA) enables customers to allow or require users to authenticate with X.509 certificates against their Azure Active Directory (Azure AD) for applications and browser sign-in. This feature enables customers to adopt a phishing resistant authentication and authenticate with an X.509 certificate against their Enterprise Public Key Infrastructure (PKI).
OATH hardware Tokens (preview)
Azure AD supports the use of OATH-TOTP SHA-1 tokens that refresh codes every 30 or 60 seconds. Customers can purchase these tokens from the vendor of their choice.
Software OATH tokens are typically applications such as the Microsoft Authenticator app and other authenticator apps. Azure AD generates the secret key, or seed, that's input into the app and used to generate each OTP.
To simplify and secure sign-in to applications and services, Azure Active Directory (Azure AD) provides multiple authentication options. SMS-based authentication lets users sign-in without providing, or even knowing, their username and password. For Azure AD Multi-Factor Authentication or SSPR, users can choose to receive a text message with a verification code to enter in the sign-in interface or receive a phone call.
Users can also verify themselves using a mobile phone or office phone as a secondary form of authentication used during Azure AD Multi-Factor Authentication or self-service password reset (SSPR).
License required
Azure AD Premium P1
Final Thoughts
Passwordless authentication will continue to be the top priority and choice for businesses looking for ways to protect their data. While the benefits of passwordless authentication are significant, it's essential to deploy it using a zero-trust model, IAM practices, robust security controls, and mobile threat defense. This will make passwordless authentication smoother and a much more secure and safer option to use.