Pro User
Timespan
explore our new search
​
Microsoft Introduces Phishing-Proof Passkeys - Quick Demo
Security
Nov 21, 2023 5:00 PM

Microsoft Introduces Phishing-Proof Passkeys - Quick Demo

by HubSite 365 about Merill Fernando

Product Manager @ Microsoft 👉 Sign up to Entra.News my weekly newsletter on all things Microsoft Entra | Creator of cmd.ms & idPowerToys.com

AdministratorM365 AdminSecurityLearning Selection

Explore Passkeys with Microsoft Authenticator: Secure and Simplify Sign-Ins Across Devices!

Microsoft has updated its Authenticator app to provide phishing-resistant passkeys for secure sign-ins to any Microsoft Entra account. This passwordless method ties a user credential to a device, relying on either a personal identification number (PIN) or biometric input like a fingerprint or facial recognition, akin to the technology used in Windows Hello for Business. The Authenticator's key-based authentication is cross-platform, working on mobile devices and with any app or website compatible with Microsoft Authentication Libraries.

Users who have activated phone sign-in on the Microsoft Authenticator app will receive a prompt to approve a sign-in by tapping a number within the app, eliminating the need for usernames or passwords. To access, one must enter the number shown on the login screen into their app, choose 'Approve', and supply their PIN or biometric information. This system provides enhanced security, reducing reliance on easily compromised password systems.

 

Microsoft Authenticator now supports multiple accounts on iOS devices, enabling passwordless sign-in for consultants, students, and others with several Microsoft Entra IDs. By shedding the restriction that previously associated sign-in capability with a single user per device, admins can more freely promote passwordless sign-ins as the primary authentication method. However, guest accounts are not yet permissible for multi-account sign-in from a single device.

There are some prerequisites for setting up passwordless phone sign-in with Microsoft Authenticator:

  • Advised usage of Microsoft Entra multifactor authentication.
  • Enable push notifications for verifications.
  • Install the latest Microsoft Authenticator version on an iOS or Android device.

Android devices should be registered to an individual user for the Authenticator to work, with efforts to support multiple accounts actively ongoing. iOS devices must be registered with each tenant to allow sign-in for different accounts.

To adopt passwordless authentication, admins must first enable a 'combined registration experience' and then set up users for the passwordless method. Microsoft's Entra ID lets admins determine the authentication methods during sign-in, allowing users to register for their preferred authentication method, including Microsoft Authenticator, for a passwordless experience.

Enabling passwordless phone sign-in in the Microsoft Entra admin center is straightforward:

  • Sign in as an Authentication Policy Administrator.
  • Navigate to Protection > Authentication methods > Policies.
  • Select options under Microsoft Authenticator, and save the new policy.

Users can register for passwordless sign-in directly via the Authenticator app or by using the temporary access pass guided registration with 'My Sign-ins'. Afterward, they can finalize the passwordless phone sign-in setup within the app.

Once an admin enables a user's tenant for passwordless sign-in and a user adds Microsoft Authenticator as a method, they can approve sign-in requests on their mobile devices without using passwords. Although the first-time setup requires a few additional steps, subsequent sign-ins become more streamlined, enhancing user experience and maintaining rigorous security measures.

Enhancing Digital Security with Microsoft Authenticator

Passwordless authentication is an essential evolution in digital security, aiming to mitigate the vulnerabilities associated with traditional password systems. Microsoft Authenticator's advancements represent a significant movement toward more secure, phishing-resistant access. By leveraging biometrics and device-based passkeys, users can experience not only more secure sign-in processes but also greater convenience. As cybersecurity threats continue to evolve, embracing these forward-thinking authentication methods is becoming increasingly critical for protecting user data and ensuring secure access to digital resources.

Understanding Passkey

Passkey is a technology used for online security and authentication. It's part of a broader move towards more secure and user-friendly methods of accessing online services, reducing reliance on traditional passwords. A passkey typically involves a unique digital key stored on your device. It works in conjunction with biometric data like a fingerprint or facial recognition, or a PIN, to authenticate your identity. This method is considered more secure than traditional passwords, which can be easily compromised or forgotten. Microsoft and other tech companies are increasingly adopting passkey technology in their products and services for enhanced security.

Microsoft Authenticator App Explained

Microsoft Authenticator is a mobile app developed by Microsoft to enhance account security. It offers two-factor authentication (2FA) for Microsoft and other accounts. The app generates time-based, one-time passcodes (TOTP) or sends a push notification for approval as a second factor of authentication, adding an extra layer of security beyond just a password. It can also store and autofill passwords for various sites and apps, and supports biometric authentication like fingerprint or facial recognition for easy and secure access. Microsoft Authenticator is widely used for both personal and business accounts to safeguard against unauthorized access.

Security - Microsoft Introduces Phishing-Proof Passkeys - Quick Demo

 

Overview of Passkeys in Microsoft Authenticator

Microsoft Authenticator can be used for password-free sign-in to any Microsoft Entra account. It employs key-based authentication, linking a user credential to a device that uses a PIN or biometric for verification. This method is akin to the technology used in Windows Hello for Business.

The technology is versatile, compatible with various device platforms, including mobile. It also integrates seamlessly with any app or website using Microsoft Authentication Libraries. This introduces a streamlined sign-in experience across different platforms and services.

How to sign in with Microsoft Authenticator?

Users with phone sign-in enabled in Microsoft Authenticator receive a prompt to approve their sign-in by tapping a number in the app. This process eliminates the need for usernames and passwords. To complete the sign-in, users enter the displayed number, approve the request, and then provide their PIN or biometric authentication.

How is Passwordless Sign-In work on iOS

Microsoft Authenticator supports passwordless phone sign-in for multiple accounts on iOS devices. This feature benefits users like consultants and students who manage multiple Microsoft Entra ID accounts. It allows for multiple account management from a single iOS device, enhancing convenience and security.

Administrators can now encourage users with multiple accounts to adopt passwordless sign-in more confidently. This method does not limit users to a single account per device, making it more practical for diverse user needs. The Microsoft Entra accounts can belong to the same or different tenants, but guest accounts are not supported for this feature.

Prerequisites for Passwordless Sign-In

To utilize passwordless phone sign-in with Microsoft Authenticator, several prerequisites are necessary. These include enabling Microsoft Entra multifactor authentication with push notifications and installing the latest version of Microsoft Authenticator on iOS or Android devices. For Android, individual user registration is required, and for iOS, device registration with each tenant is necessary.

Enabling Passwordless Phone Sign-In

To activate passwordless phone sign-in, administrators must sign in to the Microsoft Entra admin center and navigate to the Authentication methods section. Here, they can enable the feature for all or selected users and choose between passwordless and push notification modes. Users can then register for the chosen authentication method.

User Registration Process

Users can register for passwordless phone sign-in directly within the Microsoft Authenticator app. This process includes acquiring a Temporary Access Pass, installing the app, and following the in-app instructions for setup. Additionally, users can register via the 'My Sign-ins' portal using combined registration if the authentication mode is set to Any or Push.

Final Steps for Passwordless Sign-In

After registering the Microsoft Authenticator app, users must enable phone sign-in in the app and follow the provided instructions. Once these steps are completed, users can sign in using their phones without needing a password. This method enhances security and simplifies the user experience.

Summary

Microsoft Authenticator introduces a passwordless sign-in method for Microsoft Entra accounts, using device-linked user credentials. Compatible with multiple platforms and services, it streamlines the authentication process. The app supports multiple accounts on iOS and requires specific prerequisites and user registration steps. Once set up, it offers a secure and convenient way to access accounts without passwords.