You are looking into going passwordless with Azure AD (Entra ID) and all you can see is documentation stating to use Temporary Access Pass (TAP) to onboard FIDO2. As a cybersecurity expert, you realize that that becomes the weakest part of your infrastructure. First, you can “put lipstick on a pig” but even with the cute name, TAP is still a single factor password, and since a human must give the TAP to another user for self-service onboarding, you open your helpdesk team up to social engineering attacks.
Unfortunately, there is no secret setting in the Entra ID portal to enable secure FIDO2 onboarding for Azure AD. Luckily, as a Microsoft partner we created the only native FIDO2 onboarding solution for Azure!
While we technically still use a TAP in the onboarding process, as you can see in the video above, no human has access to the TAP. Instead, the user uses a verifiable credential such as their driver’s license and their face to authenticate they are the person they say they are, and then we create the FIDO2 token for them. Not only do you get a quick FIDO2 onboarding experience, but there are also extra security measures we take to ensure the integrity of the YubiKey that is being issued to the user.
Going passwordless with Azure AD doesn’t have to involve exposing your organization to the risks associated with human-accessed Temporary Access Passes. By using our native FIDO2 onboarding solution for Azure, you can ensure a secure, efficient, and seamless onboarding process for your users while adhering to the necessary security and compliance requirements. Discover how you can transform your organization’s security posture by implementing our passwordless onboarding solution. Contact us today to learn more or to schedule a demo.