As you know, there are 3 passwordless authentication methods: FIDO2, SmartCard, and Microsoft Authenticator App. While all three are a great step forward from passwords, the Authenticator app is not fully unphishable since users can be vulnerable to push notification fatigue; unfortunately, though Microsoft has implemented some measures such as number matching, it is still susceptible to social engineering. While it has its vulnerabilities, it is still a great option if budget does not allow you to get hardware tokens for your whole organization. Then we have FIDO2 and SmartCard, which for users are very similar since they both use a hardware key and a pin or biometric check. There are some minor differences between smartcard and FIDO2 but in the big picture, security-wise they are the same. To learn more about the difference between all three methods I recommend watching the webinar below where we go in more detail into the differences.
Each of the three passwordless methods have their strengths and weaknesses. If you’re on a tight budget, phone authentication might seem appealing – it’s cost-friendly, but on the flip side, it isn’t the most secure. It’s a good fit if you’re working with limited resources or in situations where top-tier security isn’t the primary focus. On the hardware token front, if you can only use one, we would recommend smartcard authentication since it is compatible with new technology (while Microsoft has been pushing FIDO2 authentication, it is still not compatible with many cloud management tools such as Azure PowerShell, and MSAL applications) as well as legacy on premise systems; however, the perfect setup (and what we use at Keytos) is having FIDO2 and smartcard in the same token. Using a modern CMS such as EZCMS allows you to seamlessly onboard users to both FIDO2 and smartcard identities and the OS will automatically use the best option for each scenario.
When listing the passwordless authentication methods you probably noticed I did not mention the most popular one: Windows Hello For Business (WH4B), The reason for not mentioning Windows Hello For Business is because it cannot be used for bootstrapping new devices; let’s say you have WH4B in your PC, you cannot use that identity to enroll your phone to Intune. Hence, it is a great option as a secondary passwordless authentication method; for example, you have your YubiKey that you use for onboarding new devices or when you need to authenticate in another device but use Windows Hello for day-to-day authentication in your work computer.
Unfortunately, Microsoft does not have an option for self-service passwordless onboarding for users;, the closest you can get to it is having your IT team create a TAP and sending it to a user. Unfortunately, the TAP is not a multifactor authentication method, it is just a fancy term Microsoft created for a one-time password; also having your IT team distributing TAPs opens the door for social engineering attacks. To have a truly passwordless onboarding experience, we use EZCMS, the first passwordless onboarding CMS for Azure. In this blog I am not going to cover how to set EZCMS in Azure, but you can follow the instructions in this video playlist.
The advantages of EZCMS are:
Check out the user experience below for a simplified view of the whole onboarding process.
When talking to organizations that are planning to implement passwordless authentication, the first question that comes up is what happens if I lose my YubiKey. While this might sound like a scary scenario, with the proper design it is a non-issue.
First let’s start with what happens to that YubiKey, the cryptographic keys are protected by a pin than after a few tries it will be blocked and will not be able to be used by the person that stole the YubiKey, secondly, if you are using a CMS, you report the YubiKey as lost and the CMS will contact your identity provider to revoke the FIDO2 keys as well as any certificate in that YubiKey (this is a very important reason why it is important to have a CMS instead of manually onboarding your hardware tokens).
As previously mentioned, it is recommended to have a secondary authentication method in case your YubiKey is lost. Yubico obviously recommends having an extra YubiKey for you to authenticate if the first one is lost. However, there are other ways to do this without 2xing your hardware budget. Another device such as a laptop with Windows Hello for Business or a phone with Microsoft Authenticator App can work as a temporary smartcard while you get a new YubiKey from your organization. Once you get the new YubiKey you can either use your secondary factor to enroll your new YubiKey or if you have a CMS such as EZCMS you can you your Government ID and face to register your new YubiKey.
Unfortunately, Microsoft Entra ID (Azure AD) does not support users without passwords. Instead, we recommend creating user accounts with a random long password that is not saved anywhere, having the user signup using a passwordless CMS, and setting up conditional access to require a passwordless authentication method. This last step ensures that even if a hacker guesses that random password, they will not be able to access without a passwordless method.
Each organization might have their own user creation method. However, I wanted to share with you a quick PowerShell script that can help you create users with random passwords from a CSV.
GivenName,Surname,UserPrincipalName,UsageLocation,City,State,Country,Department,JobTitle,MobilePhone
Richard,Hendricks,richard.hendricks@piedpiper.com,US,Palo Alto,CA,USA,Engineering,CEO,123-456-7890
Dinesh,Chugtai,dinesh.chugtai@piedpiper.com,US,Palo Alto,CA,USA,Engineering,Developer,123-456-7891
Bertram,Gilfoyle,bertram.gilfoyle@piedpiper.com,US,Palo Alto,CA,USA,Engineering,Developer,123-456-7892
# Connect to Azure AD
Connect-AzureAD
# Path to the CSV file
$csvPath = "C:\path\to\yourfile.csv"
# Function to generate a random password
function GenerateRandomPassword {
param (
[int]$length = 32
)
$chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890!@#$%^&*()-_=+"
$password = -join ($chars.ToCharArray() | Get-Random -Count $length)
return $password
}
# Read the CSV and loop through each user
Import-Csv -Path $csvPath | ForEach-Object {
$password = GenerateRandomPassword
# Create the new user in Azure AD
New-AzureADUser -DisplayName "$($_.GivenName) $($_.Surname)" -GivenName $_.GivenName -Surname $_.Surname -UserPrincipalName $_.UserPrincipalName -PasswordProfile (New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile -Property @{forceChangePasswordNextLogin=$false;password=$password}) -MailNickName "$($_.GivenName).$($_.Surname)" -UsageLocation $_.UsageLocation -City $_.City -State $_.State -Country $_.Country -Department $_.Department -JobTitle $_.JobTitle
# Output password to the console (for testing purposes)
Write-Output ("User: " + $_.UserPrincipalName + " Created ")
}
# Disconnect from Azure AD
Disconnect-AzureAD
If you are ready to go passwordless, schedule a meeting with our identity experts and get started today!
