Since the introduction of passwords as the standard for computer authentication, there haven’t been many changes beyond enforcing password length and character complexity requirements and the introduction of two-factor authentication options such as SMS and voice calls and the use of various hardware tokens. However, even with those options, authentication still relied on a password.
The age of the password has begun to change. Authentication applications offer options for hardware and software tokens and push notifications that are more secure than SMS or a voice call. Technologies such as Windows Hello, Microsoft Authenticator phone sign-in, and FIDO2 security keys effectively remove passwords from the authentication process.
In the article “3 Components of Cloud Authentication: Enterprise SSO, Zero Trust, Passwordless,” Miles Gratz delves into various types of cloud authentication and discusses the basics needed to implement Passwordless Authentication using phone sign-in within the Microsoft Cloud ecosystem. Note that this article assumes you’ve already rolled out Microsoft Authenticator in your organization.
In Microsoft Entra ID, authentication methods can be configured to your requirements, allowing you to control conventional password use, passwordless options, FIDO2 security keys, hardware OATH tokens or certificate-based options, and more. Each of these methods can be targeted to specific users or groups.
The goal of this implementation will be to eliminate the use of passwords for your users accessing their Entra ID resources. Many organizations ask how they can do this if their users access numerous applications that require authentication. The biggest prerequisite of implementing passwordless authentication is federation of your applications with Entra ID. Utilizing SAML or OpenID Connect is key; otherwise, applications not federated with Entra ID will still need to authenticate using legacy methods, which often utilize passwords. Federating your applications with Entra ID also allows them to be controlled via Conditional Access (CA) policies, providing additional security.
If your users already utilize their Entra ID credentials to access the resources they need, you’re ready to proceed with the steps below to configure passwordless authentication using phone sign-in.
By default, Entra ID doesn’t have the options enabled to support this configuration. You must modify three key areas to enable it. In most cases, you must create a new authentication method and authentication strength, and then configure a CA policy for enforcement.
If you’re using Windows Hello for Business (WHfB) to authenticate to your workstations, you’ll also want to make a configuration change to support emergency access once you have disabled the ability to utilize conventional passwords.
Let’s dive into how to make the necessary modifications to implement passwordless authentication using phone sign-in.
Enabling TAPs as an Authentication Method
A Temporary Access Pass (TAP) is similar to the old app passwords in that they are considered strong authentication, which allows them to bypass multi-factor authentication (MFA). The difference is a TAP is configured to be used sparingly and expires rapidly. TAPs are required for new user onboarding or, in some cases, support tasks, as a user will no longer be issued a password to authenticate.
To enable TAPs, access the Azure portal and navigate to Entra ID > Security > Authentication methods. Select Temporary Access Pass to enable TAP and select the targeted users. We highly recommend testing this with a pilot group prior to a mass deployment.
Once the feature is enabled, you can adjust the configuration options. These options will be enforced any time an administrator creates a new TAP. You have the option to require one-time-use TAPs instead of multi-use TAPs.
A user booting their machine and completing a Windows Autopilot enrollment will require two TAP authentications. One TAP authentication is required to log in and begin the Autopilot process. A second TAP authentication is required to complete a WHfB enrollment. If the user is also enrolling in MFA for the first time, a third TAP authentication is required to complete their Authenticator mobile device enrollment.
Creating an Authentication Strength that Includes TAPs
If you’re planning to adopt a passwordless architecture (i.e., restricting the use of conventional passwords), you’ll need to create a new authentication strength in Entra ID. Authentication strengths are groups of permitted authentication methods. The out-of-box authentication strengths provided by Microsoft at this time support either all conventional MFA options or passwordless authentication but not TAPs. Unfortunately, in many cases, TAPs are a critical part of the passwordless authentication architecture, so you need to make them available for use.
To create a new authentication strength that includes TAPs, follow the steps below:
- Access the Azure Portal and navigate to Entra ID > Security > Authentication methods > Authentication strengths.
- Click New authentication strength, provide a name such as “My Organization Passwordless,” and select the following recommended options. (If you don’t utilize FIDO2 security keys or certificate-based authentication, feel free to exclude them.)
- Windows Hello for Business
- Passkeys (FIDO2)
- Certificate-based Authentication (Multifactor)
- Microsoft Authenticator (Phone Sign-in)
- Temporary Access Pass (One-time use)
- Temporary Access Pass (Multi-use)
Configuring a CA Policy to Require Authentication Strength
To mandate the use of your new authentication strength, you must configure a CA policy. Enable Require authentication strength Grant and select your new authentication strength from the dropdown menu, as shown below.
Windows Login Process
The native Windows login process doesn’t currently support the use of TAPs. This is important because new users won’t be able to enroll for WHfB without a TAP. You can enable a feature called Web sign-in to solve this issue.
To enable Web sign-in, configure a settings catalog policy in Intune and set the Enable Web sign-in setting to Enabled. If you’re using another MDM service for the OMA-URI to configure.
To use Web sign-in, click the globe icon to activate the credential provider, as shown below.
Recommendations
If you plan to enable this functionality for your existing users, have them enable phone sign-in on their mobile phones prior to a CA policy deployment. Otherwise, they may be locked out and require administrator intervention to create a TAP to complete this process, as their existing account password won’t work.
TAP is considered strong authentication, so no multi-factor authentication requests are sent. Be sure to have a process that provides both control and auditing of who can create a TAP, as well as a process to confirm the identity of users calling support requesting a TAP.
Summary
Although there are numerous moving parts to implementing passwordless authentication within your organization, the benefits are numerous. Since passwords are no longer part of the authentication process, you can prevent brute force attacks and provide resistance to phishing attacks.
Authentication methods are rapidly changing, and adopting many of these new methods can be a complex endeavor within an existing organization. Please contact us to find out how we can help.
