Explore passwordless authentication options

Completed

Features like multifactor authentication (MFA) are a great way to secure your organization, but users often get frustrated with the extra security layer on top of having to remember their passwords. Passwordless authentication methods are more convenient because the password is removed and replaced with something you have or something you are or know.

Diagram showing the relationship between high and low security and convenient and inconvenient security methods.

Each organization has different needs when it comes to authentication. Microsoft Azure and Azure Government offer the following five passwordless authentication options that integrate with Microsoft Entra ID:

  • Windows Hello for Business
  • Platform Credential for macOS
  • Platform single sign-on (PSSO) for macOS with smart card authentication
  • Microsoft Authenticator
  • Passkeys (FIDO2)
  • Certificate-based authentication

These passwordless authentication options are examined in the following sections.

Additional reading. For more information on these passwordless authentication methods, see Passwordless authentication options for Microsoft Entra ID.

Windows Hello for Business

Windows Hello for Business is ideal for information workers that have their own designated Windows PC. Windows Hello for Business replaces passwords with strong two-factor authentication on devices. This authentication consists of a type of user credential tied to a device. It requires PCs with a built-in Trusted Platform Module (TPM), and it uses a PIN or biometric recognition. The biometric and PIN credentials are directly tied to the user's PC, which prevents access from anyone other than the owner. With public key infrastructure (PKI) integration and built-in support for single sign-on (SSO), Windows Hello for Business provides a convenient method for seamlessly accessing corporate resources on-premises and in the cloud. It's applicable for dedicated work PCs with the ability for single sign-on to devices and applications.

You might wonder how a PIN can help protect a device better than a password. Passwords are shared secrets. A user enters them on a device and transmits them over the network to the server. Anyone, anywhere, can use an intercepted account name and password. Because organizations store usernames and passwords on a server, a server breach can reveal those stored credentials.

Windows Hello for Business enables users to sign in to their devices and applications using either their face, fingerprint, or PIN. The sign-in method they use depends on the capabilities of the device and the authentication method configured by the organization. Windows Hello for Business stores the biometric data securely on the device itself, and other applications or the network can't access it.

Windows Hello for Business can also integrate with on-premises Active Directory and Microsoft Entra ID to provide a single sign-on experience across multiple devices and applications. This design allows users to access their resources securely and conveniently, without the need to remember multiple usernames and passwords.

Windows Hello for Business also supports multifactor authentication (MFA). MFA requires users to provide extra verification, such as a smart card or a phone-based authentication method, before accessing sensitive resources. MFA helps to protect against identity theft and other security threats. In summary, Windows Hello for Business meets enterprise-level security and compliance requirements while also providing an easy-to-use and user-friendly experience.

Windows Hello for Business addresses the following problems with passwords:

  • Strong passwords can be difficult to remember, and users often reuse passwords on multiple sites.
  • Server breaches can expose symmetric network credentials (passwords).
  • Passwords are subject to replay attacks. A replay attack occurs when an attacker copies a stream of messages between two parties and replays the stream to one or more of the parties. Unless mitigated, the computers subject to the attack process the stream as legitimate messages, resulting in a range of bad consequences, such as redundant orders of an item.
  • Users can inadvertently expose their passwords due to phishing attacks.

Windows Hello for Business lets users authenticate to:

  • A Microsoft account.
  • An on-premises Active Directory account.
  • A Microsoft Entra account.
  • Identity Provider Services or Relying Party Services that support Fast ID Online (FIDO) v2.0 authentication.

When a user completes an initial two-step verification during enrollment on their device, Windows Hello for Business is set up. At that point, Windows asks the user to set a gesture, which can be a biometric, such as a fingerprint, or a PIN. The user provides the gesture to verify their identity. Windows then uses Windows Hello for Business to authenticate users.

As an administrator in an enterprise or educational organization, you can create policies to manage Windows Hello for Business use on Windows 10 and 11 devices that connect to your organization.

Platform Credential for macOS

Platform Credential for macOS is a new capability on macOS that is enabled using the Microsoft Enterprise single sign-on Extension (SSOe). It provisions a secure enclave backed hardware-bound cryptographic key that is used for SSO across apps that use Microsoft Entra ID for authentication. The user’s local account password isn't affected and is required to sign-in to the Mac.

Platform Credential for macOS allows users to go passwordless by configuring Touch ID to unlock the device. It then uses phish-resistant credentials that are based on Windows Hello for Business technology. This design saves customer organizations money by removing the need for security keys. It also advances Zero Trust objectives using integration with the Secure Enclave.

Screenshot showing the Platform sign-in screen when using Platform Credential for macOS.

Platform Credential for macOS can also be used as a phishing resistant credential for use in WebAuthn challenges (including browser reauthentication scenarios). Administrators must enable the FIDO2 security key authentication method for this capability. If you use Key Restriction Policies in your FIDO policy, then you must add the AAGUID for the macOS Platform Credential to your list of allowed AAGUIDs: 7FD635B3-2EF9-4542-8D9D-164F2C771EFC

Platform single sign-on for macOS with SmartCard

Platform single sign-on (PSSO) for macOS allows users to go passwordless using the SmartCard authentication method. The user signs in to the machine using an external smart card, or smart card-compatible hard token (for example, Yubikey). Once the device is unlocked, the smart card is used with Microsoft Entra ID to grant SSO across apps that use Microsoft Entra ID for authentication using certificate-based authentication (CBA). CBA must be configured and enabled for users for this feature to work. For configuring CBA, refer to How to configure Microsoft Entra certificate-based authentication.

To enable PSSO, an administrator needs to configure PSSO through Microsoft Intune or other supported MDM.

Microsoft Authenticator

The Microsoft Authenticator app is an innovative mobile application developed by Microsoft to enhance the security of user accounts. It implements two-factor authentication, which adds a robust layer of protection that safeguards against unauthorized access and phishing attempts. The Authenticator app not only offers a convenient multifactor authentication method alongside traditional passwords, but it also empowers your employees to use their phones as a passwordless authentication method. If you're already utilizing the Microsoft Authenticator for multifactor authentication, you can also use it serve as a passwordless option, streamlining the sign-in process while maintaining high security standards.

The Authenticator app turns any iOS or Android phone into a strong, passwordless credential. Users can sign in to any platform or browser by getting a notification to their phone, matching a number displayed on the screen to the one on their phone. Then they can use their biometric (touch or face) or PIN to confirm. Refer to Download and install the Microsoft Authenticator for installation details.

Passwordless authentication using the Authenticator app follows the same basic pattern as Windows Hello for Business. It's a little more complicated as the user needs to be identified so that Microsoft Entra ID can find the Authenticator app version being used. Microsoft Authenticator works by generating either a time-based one-time password (TOTP) or a push notification that requires user approval.

  • Time-based one-time password. TOTP is a type of two-factor authentication that involves generating a unique, time-limited password. When a user enters the TOTP code as the second factor in the authentication process, Microsoft Entra multifactor authentication uses the TOTP to verify a user's identity. Mobile apps like Microsoft Authenticator, Google Authenticator, and Authy, commonly use TOTP. The TOTP algorithm uses a shared secret key and the current time to generate a unique password that changes every few seconds. This password is valid only for a short time period, typically 30 seconds. Microsoft Authenticator then replaces it with a new one. The user must enter the TOTP password along with their username and password to complete the two-factor authentication process.
  • Push notification. A push notification is a message or alert that an app, such as Microsoft Authenticator, or website sends to a user's mobile device, computer, or other device. It "pushes" the notification to the device, rather than requiring the user to check the app or website for updates. Microsoft Authenticator sends a push notification to the user's mobile device when the user enters signs in to a service that requires MFA, such as Microsoft 365 or Microsoft Entra ID. The user's device prompts them to approve or deny the authentication request within the notification. If the user approves the request, Microsoft Authenticator sends a cryptographic verification message to the Microsoft cloud service that is processing the authentication request. The verification message includes a cryptographic signature that is unique to the user's device and to that specific authentication request. The cloud service validates the signature to ensure the user approved the authentication request and then grants access to the requested resource. By using push notifications as the second factor in MFA, Microsoft Authenticator provides a secure and convenient way for users to complete the authentication process, without having to manually enter a TOTP or token. This feature can help to improve the user experience and encourage more users to adopt MFA for their accounts.

The service provider typically determines whether to use TOTP or push notifications, although the user might also have some control over the settings. In general, push notifications are the preferred authentication method when using Microsoft Authenticator because they provide a more secure and user-friendly authentication experience. Push notifications are faster and easier to use than TOTP codes, which require the user to manually enter a code from the Authenticator app. Additionally, push notifications are more secure because they're encrypted, and attackers can't intercept or replay them.

When analyzing push notifications and TOTP, it's important to note that:

  • Some services don't support push notifications as an authentication method.
  • Users can configure their account to use TOTP codes as the preferred method.

In these cases, Microsoft Authenticator generates a TOTP code when the user attempts to sign in to the service. The Microsoft Authenticator app displays the TOTP code, which the user must manually enter to complete the authentication process.

The Microsoft Authenticator app is available for free on both iOS and Android devices. Users can use it to sign in to any Microsoft Entra account without using a password. Microsoft Authenticator uses key-based authentication to enable a user credential that a user tied to a device, where the device uses a PIN or biometric.

Organizations can use this authentication technology on any device platform, including mobile. They can also use this technology with any app or website that integrates with Microsoft Authentication Libraries.

Using Microsoft Authenticator for multifactor authentication (MFA) offers several benefits, including:

  • Security. The app provides an extra layer of security beyond a username and password. It uses a push notification or one-time code to verify the user's identity, making it more difficult for unauthorized users to access the account.
  • Convenience. Microsoft Authenticator allows for quick and easy authentication without the need to enter a code manually. You can also use the app offline or in areas with limited connectivity.
  • Time-based one-time password (TOTP) support. Microsoft Authenticator supports TOTP, which means you can use it with any service that supports TOTP-based authentication.
  • Multiple accounts. Users can add multiple accounts to the app, making it a convenient way to manage MFA for all their accounts in one place.
  • Biometric support. On supported devices, users can use biometric authentication (such as fingerprint or facial recognition) to quickly and securely access their accounts.

People who enabled phone sign-in from Microsoft Authenticator see a message during sign-in that asks them to tap a number in their app. The app doesn't ask them for a username or password. To complete the sign-in process in the app, a user must then:

  1. Enter the number they see on the sign-in screen into Microsoft Authenticator dialog.
  2. Select Approve.
  3. Provide their PIN or biometric.

You must meet the following prerequisites to use passwordless phone sign in with Microsoft Authenticator on Android and iOS devices:

  • Microsoft recommends that you enable Microsoft Entra Multifactor Authentication, with push notifications allowed as a verification method. Push notifications to your smartphone or tablet help the Authenticator app prevent unauthorized access to accounts and stop fraudulent transactions. The Authenticator app automatically generates codes when set up to do push notifications. A user has a backup sign-in method even if their device doesn't have connectivity.
  • Install the latest version of Microsoft Authenticator on devices running iOS or Android.
  • For an Android device, you must register the device that runs Microsoft Authenticator to an individual user.
  • For an iOS device, you must register the device with each tenant where you use the device. For example, a user can register a device with Contoso and Wingtip Toys to allow all user accounts who use that device to sign in. For example:
    • AlexM@contoso.com
    • AlexM@wingtiptoys.com and PaulF@wingtiptoys
  • For an iOS device, Microsoft recommends enabling the Microsoft Authenticator option that allows Microsoft to gather usage data. Microsoft doesn't enable this option by default. To enable it in Microsoft Authenticator, go to Settings, and then Usage Data.

To use passwordless authentication in Microsoft Entra ID, first enable the combined registration experience, then enable users for the passwordless method.

Passkeys (FIDO2)

The FIDO (Fast IDentity Online) Alliance helps to promote open authentication standards and reduce the use of passwords as a form of authentication. FIDO2 is the latest standard that incorporates the web authentication (WebAuthn) standard.

FIDO2 security keys are an unphishable, standards-based passwordless authentication method that can come in any form factor. Fast Identity Online (FIDO) is an open standard for passwordless authentication. FIDO allows users and organizations to apply the standard to sign in to their resources without a username or password using an external security key or a platform key built into a device.

Users can register and then select a FIDO2 security key at the sign-in interface as their main means of authentication. These FIDO2 security keys are typically USB devices, but they could also use Bluetooth or NFC. With a hardware device that handles the authentication, the security of an account is increased as there's no password that could be exposed or guessed.

You can use FIDO2 security keys to sign in to your Microsoft Entra ID or Microsoft Entra hybrid joined Windows 10 and 11 devices and get single-sign on to your cloud and on-premises resources. You can also sign in to supported browsers. FIDO2 security keys are a great option for enterprises who are very security sensitive or have scenarios or employees who aren't willing or able to use their phone as a second factor. It's applicable for shared PCs and where a mobile phone isn't a viable option, such as for help desk personnel, public kiosk, or a hospital team.

Screenshot showing a web sign-in screen that enables you to select the security key authentication option.

Additional reading. For more information, see Support for FIDO2 authentication with Microsoft Entra ID. For developer best practices, see Support FIDO2 auth in the applications they develop.

Certificate-based authentication

Microsoft Entra certificate-based authentication (CBA) enables customers to allow or require users to authenticate directly with X.509 certificates against their Microsoft Entra ID for applications and browser sign-in. CBA enables customers to adopt phishing-resistant authentication and sign in with an X.509 certificate against their Public Key Infrastructure (PKI).

Diagram showing the sign-in workflow when using certificate-based authentication.

The key benefits of using Microsoft Entra certificate-based authentication include:

  • Great user experience
    • Users who need certificate-based authentication can now directly authenticate against Microsoft Entra ID. They no longer have to invest in federated AD FS.
    • Portal UI enables users to easily configure how to map certificate fields to a user object attribute to look up the user in the tenant (certificate username bindings)
    • Portal UI enables administrators to configure authentication policies to help determine which certificates are single-factor versus multifactor.
  • Easy to deploy and administer
    • Microsoft Entra CBA is a free feature. You don't need any paid editions of Microsoft Entra ID to use it.
    • No need for complex on-premises deployments or network configuration.
    • Directly authenticate against Microsoft Entra ID.
  • Secure
    • On-premises passwords don't need to be stored in the cloud in any form.
    • Protects your user accounts by working seamlessly with Microsoft Entra Conditional Access policies, including Phishing-Resistant multifactor authentication (MFA requires licensed edition) and blocking legacy authentication.
    • Strong authentication support where users can define authentication policies through the certificate fields, such as issuer or policy OID (object identifiers), to determine which certificates qualify as single-factor versus multifactor.
    • The feature works seamlessly with Conditional Access features and authentication strength capability to enforce MFA to help secure your users.