Intune · Security

How To Use Passwordless As An Authentication Method To Login To Your Cloud

I always feel lazy when the time comes to authenticate my account to log in to one of the cloud portals or a WebApp password. Why do I have a complex password, long, hard to guess, not one of my last 6 passwords, etc., to meet our security requirement

I started digging and reading a Microsoft article and remember Passwordless Tec. In Azure AD/Entra.

So what is Passworless?

Passwordless is a new method to sign in to Azure Active Directory AAD without using a regular password, this method sends a key to authenticate a user account. Authentication can be done by using different ways:-

Microsoft Authentication App or 3^rd party OATH(Available on Okta, or similar) I’ll use this method.
Windows Hello for Business.
Windows Hello for Business.
Certificate-based authentication.
FIDO2 Security Key.
SMS.
Temporary Access Pass.
Why Passwordless is a good idea:-

According to Microsoft Cyber Security and other Security websites, there are many attacks on passwords every second (579 passwords/sec), around 18 billion a year.

As humans, when we get a notification to change or create a password, most people use the same password for different accounts to make it easy to remember, same their names and pet’s name, or make it very secure and they forget it, then has to reset it over and over.

Also, some of the hackers’ ways to use Man-in-the-middle or malware, etc. in this case, they can get your password.

Passwordless implementation Test (only tested using Microsoft Authenticator App)

Let’s configure the Passwordless:-

On Intune:

First step I did was to enable Microsoft Authenticator from AAD or Entra.

2. Configure a policy to enforce Microsoft Authenticator, create a group to assign this policy to it, and finally add a user to it for testing, I recommended to select All Users for Production.

3. After configuring all policies, group, and user(s), let’s try to login to my account to change the settings from My Account > Setting > Security, and under “Adding Security,” let us turn “Passwordless Account” on.

Users will be prompted to download Microsoft Authenticator App or to use any similar App, for this Demo I used Microsoft App

once the user is done with the App steps will get this notification

back to your account setting will see Passwordless Account now is ON

So what is happing in the background:-

The user enters their username.
Azure AD detects that the user has a strong credential and starts the Strong Credential flow.
A notification is sent to the app via Apple Push Notification Service (APNS) on iOS devices or via Firebase Cloud Messaging (FCM) on Android devices.
The user receives the push notification and opens the app.
The app calls Azure AD and receives a proof-of-presence challenge and nonce.
The user completes the challenge by entering their biometric (like face recognition) or PIN to unlock the private key.
The nonce is signed with the private key and sent back to Azure AD.
Azure AD performs public/private key validation and returns a token.