Multi-Factor Authentication is one way of additionally securing the sign-in process. Despite MFA dramatically improving security, it is not the holy grail. Especially not when considering attacks become increasingly sophisticated and new techniques are detected almost on a daily basis. Today, even MFA can be spoofed and bypassed under certain circumstances!
The journey towards a world without passwords is a long one, and it only has just begun; a lot of work needs to be done before we can rid ourselves of all the passwords. Most people are quick to point towards legacy applications, but even new applications that are built today do not always support passwordless authentication!
- Passwords + 2FA is more secure (100x more secure), but also more complicated and difficult to use.
Passwordless Strategy
| Credentials
Management Tasks |
Things you can do…
today |
…in the next three
months |
…in this calendar year | Looking Beyond |
| Enable MFA | Enrol your users in converged registration | Azure MFA with conditional access to sensitive apps | Add device-based factors like hybrid-join or Intune management | Secure all apps with CA and MFA or Device checks |
| Get to true SSO | Move SaaS apps to
Azure AD |
Publish Windows Integrated Auth apps with App Proxy | Modernize custom
apps to use Azure AD |
Sunset your LDAP and
WAM apps |
| Deploy Windows Hello
for Business |
Plan/work to get to
Windows 10 version 1703 or greater |
Enable an MFA solution for your end users with Azure AD | Roll out WHFB to users,
even with only PIN |
HW refresh to get more friendly WHFB form factors |
| Enable Passwordless
Credentials |
Enable Authenticator App to sign in for sensitive users | Enable for all users who can use mobile devices.
Pilot FIDO2 |
Plan/work to get to
Windows 10 version 1903 or greater |
Explore new FIDO2 form factors; Authenticator as FIDO2 key |
| Improve Password
Management |
Roll out Azure AD
Password Protection |
Change your password
policy to our guidelines |
Transition to Azure AD
SSPR |
Stop using passwords |
