Show Features like multifactor authentication (MFA) are a great way to secure your organization, but users often get frustrated with the additional security layer on top of having to remember their passwords. Passwordless authentication methods are more convenient because the password is removed and replaced with something you have, plus something you are or something you know.
Each organization has different needs when it comes to authentication. Microsoft global Azure and Azure Government offer the following three passwordless authentication options that integrate with Azure Active Directory (Azure AD):
Windows Hello for BusinessWindows Hello for Business is ideal for information workers that have their own designated Windows PC. The biometric and PIN credentials are directly tied to the user's PC, which prevents access from anyone other than the owner. With public key infrastructure (PKI) integration and built-in support for single sign-on (SSO), Windows Hello for Business provides a convenient method for seamlessly accessing corporate resources on-premises and in the cloud. The following steps show how the sign-in process works with Azure AD:
The Windows Hello for Business planning guide can be used to help you make decisions on the type of Windows Hello for Business deployment and the options you'll need to consider. Microsoft AuthenticatorYou can also allow your employee's phone to become a passwordless authentication method. You may already be using the Authenticator app as a convenient multi-factor authentication option in addition to a password. You can also use the Authenticator App as a passwordless option. The Authenticator App turns any iOS or Android phone into a strong, passwordless credential. Users can sign in to any platform or browser by getting a notification to their phone, matching a number displayed on the screen to the one on their phone, and then using their biometric (touch or face) or PIN to confirm. Refer to Download and install the Microsoft Authenticator for installation details. Passwordless authentication using the Authenticator app follows the same basic pattern as Windows Hello for Business. It's a little more complicated as the user needs to be identified so that Azure AD can find the Authenticator app version being used:
To get started with passwordless sign-in, complete the following how-to:
Enable passwordless sign using the Authenticator app FIDO2 security keysThe FIDO (Fast IDentity Online) Alliance helps to promote open authentication standards and reduce the use of passwords as a form of authentication. FIDO2 is the latest standard that incorporates the web authentication (WebAuthn) standard. FIDO2 security keys are an unphishable standards-based passwordless authentication method that can come in any form factor. Fast Identity Online (FIDO) is an open standard for passwordless authentication. FIDO allows users and organizations to leverage the standard to sign in to their resources without a username or password using an external security key or a platform key built into a device. Users can register and then select a FIDO2 security key at the sign-in interface as their main means of authentication. These FIDO2 security keys are typically USB devices, but could also use Bluetooth or NFC. With a hardware device that handles the authentication, the security of an account is increased as there's no password that could be exposed or guessed. FIDO2 security keys can be used to sign in to their Azure AD or hybrid Azure AD joined Windows 10 devices and get single-sign on to their cloud and on-premises resources. Users can also sign in to supported browsers. FIDO2 security keys are a great option for enterprises who are very security sensitive or have scenarios or employees who aren't willing or able to use their phone as a second factor. We have a reference document for which browsers support FIDO2 authentication with Azure AD, as well as best practices for developers wanting to support FIDO2 auth in the applications they develop. The following process is used when a user signs in with a FIDO2 security key:
FIDO2 security key providersThe following providers offer FIDO2 security keys of different form factors that are known to be compatible with the passwordless experience. We encourage you to evaluate the security properties of these keys by contacting the vendor as well as FIDO Alliance.
Note If you purchase and plan to use NFC-based security keys, you need a supported NFC reader for the security key. The NFC reader isn't an Azure requirement or limitation. Check with the vendor for your NFC-based security key for a list of supported NFC readers. If you're a vendor and want to get your device on this list of supported devices, check out our guidance on how to become a Microsoft-compatible FIDO2 security key vendor. To get started with FIDO2 security keys, complete the following how-to:
Enable passwordless sign using FIDO2 security keys Supported scenariosThe following considerations apply:
Choose a passwordless methodThe choice between these three passwordless options depends on your company's security, platform, and app requirements. Here are some factors for you to consider when choosing Microsoft passwordless technology:
Use the following table to choose which method will support your requirements and users.
Next stepsTo get started with passwordless in Azure AD, complete one of the following how-tos:
|