In the past post I talked about that Passowordless variant with a security key and its deployment is written. In this post I want to explain the Passwordless scenario with the Microsoft Authenticator and the location map as the display.
The passwordless login with the Microsoft Authenticator offers a very practical option to log in easily and without additional hardware. The passwordless login also raises security to a new level. Because most attacks happen because of intercepted passwords. In addition, the passwords are often lost and thus generate additional work in many places. With the additional map display, there is still another factor in order to be able to offer the user security. The push can already be made more secure.
Here you can find Microsoft's contribution to "Number matching" and the map: New Microsoft Authenticator security features are now available! - Microsoft Tech Community
Table of Contents
- Demo Video - User Experience
- Requirements Azure AD
- Settings User - Microsoft Authenticator
- Passwordless login as a user
- Summary
Demo Video - User Experience
Requirements Azure AD
First we have to make sure that the authentication method "Microsoft Authenticator" is active in Azure AD. We do this under Azure AD> Security> Authentication methods.
Under "Target" we can choose whether the option is available for all users or only a selected group. We carry out the configuration via the three points:
In the options menu we have the following options:
| setting | Options |
|---|---|
| Authentication method | - Any - Passwordless (enter a number) - Push (push after password entry) |
| Require number matching | Enabled / Disabled Not only push, but also a number for confirmation must be selected. |
| Show additional context | Enabled / Disabled The map with the login location is displayed. |
I choose the following options here to give the user the freedom to use Passowrdless or not.
Settings User - Microsoft Authenticator
Has the end user already set up the Microsoft Authenticator and the option “Any” has been selected for the “Authentication Method”? This means that the user has to activate the passwordless login once. To do this, he can activate the option under “Enable phone sign-in” in the relevant account. If the smartphone is not yet registered, it will be recorded accordingly in this step.
Passwordless login as a user
The user navigates to portal.office.com, SharePoint, or another entry page as usual. In this he enters his user name and presses "Next".
In the next step, the end user is presented with a number, at the same time he receives a pop-up from the authenticator on his smartphone in which he has to enter the corresponding number.
The additional map section helps to assign the login. This also applies if the login is not carried out without a password, but rather via push.
The user is then logged in and will be redirected to the desired page.
Summary
With the Microsoft Authenticator, a passwordless scenario can be implemented very well and comfortably, and the map also provides a good clue as to where the login is coming from. The map feature sensitizes the user and draws his attention to a possible attack from outside.
The complete functionality is activated very quickly and the user does not have to make any major configurations in order to use the features. Even if the passwordless login is out of the question, the map offers great added value.
EN
Pingback: Azure MFA: Return of the Hardware Token (OATH TOTP) | cloud