Making the decision to go fully passwordless in Entra ID is a monumental one for your organization! Without question, it will increase security and improve the user experience around authentication. Welcome to the new age of authentication!
Going passwordless in Azure involves the use of “alternative” authentication methods that do not rely on “traditional” passwords. The primary (read: most popular) methods include Certificate-Based Authentication (smartcards), hardware security keys, and mobile-based device authentication.
The first step on going passwordless is selecting your authentication method(s) there are 3 passwordless authentication methods: Certificate-Based Authentication (CBA), FIDO2, and Phone authentication. Each one of the authentication methods has its advantages and disadvantages, most organizations implement 2 or even all three of these authentication methods to help their organization go passwordless.
Entra CBA uses X.509 certificates to authenticate users. These certificates can be stored in the Windows certificate store, a smartcard or a YubiKey. This authentication method is the oldest phishing-resistant authentication method and has been used by governments around the world for decades; this long term usage makes certificate based authentication the most compatible passwordless authentication method. Before the cloud, it was very hard to setup and required a large server footprint to enable user onboarding, but thanks to Entra CBA and EZCMS this can now be done fully in the cloud, giving you the security and compatibility of certificate authentication without the infrastructure needs.
FIDO2 is an industry standard developed by the FIDO alliance make passwordless authentication easier. FIDO2 uses the same cryptographic algorithms as certificate based authentication, but instead of using a certificate with the information of the user, the public key must be registered with the identity provider, giving the cryptographic security of certificate based authentication, without the need of the complex infrastructure that was required for smartcard authentication when FIDO2 was created.
While FIDO2 is a very convenient way to secure your identity, due to it's relatively short life it is not supported everywhere; While you can create a connector for Active Directory, FIDO2 is not natively supported by Active Directory, Another common place where people get surprised by FIDO2 not being supported is Native iOS Entra ID applications. Luckly many FIDO2 tokens also support certificates, allowing you to have both certificate authentication and FIDO2 keys in the same key, allowing the user to use either of them and have full passwordless support everywhere.
The last passwordless authentication method that Microsoft offers is their own Authenticator Application, this is a great option for users that are not technically savvy to use a hardware key, or for users in organizations that are not high visibility targets, allowing the organization to go fully passwordless without having to buy hardware keys for all users. Note: while this is a passwordless authentication method, it is the only one of the three that it is not phishing resistant
The hardest part of going passwordless is the user onboarding and hardware key management, to help you solve this problem we have created EZCMS the first credential management system with remote self-onboarding and logistics software and services designed for todays distributed workforce. Allowing your employees to request new credentials without intervention from your IT team.
The first step for a user to get onboarded is for the user request a smartcard, for users that are just joining the organization, their manager can request a smartcard on their behalf. Depending on your settings, the request might go to your team, or the key will be automatically sent by the Keytos logistics team.
Once you receive the request, you will assign a smartcard from your inventory to the user, this will not create the certificate or FIDO2 key, instead it will assign the specific key to that user. If you are using YubiKeys our unique cryptographic attestation technology will protect you from supply chain attacks, and ensure only the assigned user can use that key.
Once the user receives the hardware key, they will be able to self-service onboard. If they already have a trusted identity they can sign in with that identity and request their certificate and FIDO2 identity. If the user does not have an existing credential or is locked out of their account, the user can use their Government ID and a scan of their face to validate their identity.
When a user blocks their YubiKey, they can use the EZCMS self-service portal to recover their identity. The user will need to use their Government ID and a scan of their face to validate their identity (or a secondary Entra Identity such as Windows Hello). Once the user has validated their identity, they will be able factory reset their YubiKey and re-enroll to both FIDO2 and Entra CBA