Skip to content

Why are you still using passwords?

Passwords are troublesome, annoying and most likely not secure. Passwords should be unique per account per service, long and complex strings, and they should be entered every time you log in to a service. Instead of doing that, people tend to reuse the same, simple string, which can be found in a dictionary and keep their login sessions valid untill they have to reinstall the app / browser using those credentials.

The solution to many of the problems passwords have, are tackled with a password manager and multifactor authentication. With a password manager you only need to authenticate to the password manager, and the manager can fill in your credentials via a browserplugin or app. You can setup the password manager to use a FIDO2 key, and thus have eliminated your need to remember any passwords.

The issue here is, that there still is a password in all of those applications, which can leak and are vulnerable to brute force attacks. This is where SSO (Single Sign-On) and protocols like SAML (Security Assertion Markup Language) come into play. You can drastically decrease the credential and brute force attack surface, by implementing an IdP (Identity provider) and SSO.

So what we want, is an IdP that supports SSO and passwordless authentication. There are several solutions to accomplish this, but I want to focus on AzureAD Passwordless sign-in.

AzureAD Passwordless Sign-in supports the following authentication methods

  • Windows Hello for Business
  • Microsoft Authenticator App
  • FIDO2 security keys

For Windows users Windows Hello for Business is by far the most convenient method for passwordless sign-in. With Windows Hello for Business you can sign-in to your computer. Microsoft Edge browser supports seamless SSO to AzureAD, so the user wont have to login to any AzureAD identity services. The browser uses the already authenticated Windows credentials.

To achieve passworless authentication from signing in to the computer to a webservice you need to have

  • AzureAD IdP credential
  • Windows Hello for Business enabled workstation for the AzureAD IdP provided account
  • Browser (Microsoft Edge) or plugin (Windows accounts for Chrome) installed
  • Application as AzureAD enterprise application, with SAML SSO enabled
  • AzureAD conditional access policies in place to restrict logins from only trusted workstations

What about MacOS or linux users? This is where Microsoft authenticator App and FIDO2 security keys provide the means to authenticate. Mac or linux users won't be able to enjoy the seamless authentication like Windows users can. Instead, every time they authenticate to AzureAD they are prompted to accept a challenge for Microsoft authenticator app or a FIDO2 key.