Go passwordless or get hacked!

Ok, I got your attention now...

Identity and access validation, such as authenticating with a unique username and password, has been used since the dawn of times in IT to grant users access to systems. This has been an acceptable solution for users and systems operating in isolation and a trusted environment, such as an internal or corporate network. Now, accessing IT systems has become more accessible over the Internet and users are able to connect remotely to internal systems through various technologies (VPN, remote desktop solutions, web access…) – especially over the past 2-3 years with the pandemic.

With the ever-increasing amount of access points and systems available internally and publicly, it has become more complex for end-users to remember and manage all their credentials, resulting in reusing the same access credentials (username and password).

At the same time, with the increased performance of computers, it is now more accessible and economical for bad actors to run brute force attacks on systems, exposing authentication credentials – especially when initials, name and surname combinations make up a username.

Over the past 5 to 8 years, to help increase the security of the authentication process, big tech, like Google, Microsoft, Apple and Facebook, have been developing additional authentication validation – known as multi-factor authentication (MFA) – or by implementing robust authentication methods – like fingerprint or face recognition.

Unfortunately, over time, MFA has been weakened due to either hardware capability (fingerprint or face recognition may not be available on all devices) or the ability to simulate some MFA methods.

Microsoft has been driving the passwordless journey over the last two years with the idea that end-users don’t need to rely on only their passwords anymore. Passwordless is achieved by adding support for powerful authentication methods, including face recognition (knowns as Windows Hello for Business) or mobile application Authentication.

Microsoft also provides increased security for password users by enforcing auto-generated passwords, password character lengths and complex alpha-numeric plus symbol combination requirements.

As a company, I would highly recommend you start looking at adopting the passwordless journey in your organisation when using Azure Active Directory (AAD).

Azure AD passwordless experience supports multiple strong authentication methods (not enabled and configured by default):

  • FIDO2 security key - a non-phishable standards-based passwordless authentication method that allows users and organisations to leverage the standard to sign into their resources without a username or password using an external security key or a platform key built into a device
  • Microsoft Authenticator mobile application – enforcing two-step verification for you to sign into your accounts, the second step uses a mobile app on your phone to make it harder for other people to break into your account.
  • Certificate Based Authentication – which requires an internal public key infrastructure (PKI), not (yet? ) available as cloud solution
  • Temporary Access Pass – which is a onetime temporary password for end-users to register SMS – which is probably not as strong

go passwordless.png

On top of this, you can also improve your MFA posture by configuring your MFA to:

Show a number matching to be entered in the MFA request prompt on Microsoft Authenticator Show the application name requesting the MFA Show the location of the MFA request Enabling the enhanced MFA features assist in fighting against MFA fatigue, where end-users are tricked into allowing device access due to constant MFA requests, clicking the Approve button unconsciously or by mistake.

go passwordless 1.png

And to add another layer of security and more granularity to which MFA method needs to be used when accessing some applications, you can also use the new MFA strengths customisation (currently in preview) which allows you to use either built-in policy or create your own to use with Azure AD Conditional Access requesting MFA.

go passwordless 2.png

Bonus tip

If you want to check if your credentials (username and password) have been hacked/exploited (also know as pwned) by checking using this website “have I been pwned”, created and run my Troy Hunt, a well-known security expert and Microsoft Most Valuable Professional (MVP).