A Password is supposed to provide a secure access to an account, and it acts as a security barrier to protect the account from an attacker. However, they are also the most common way by which Security is compromised.
You can reduce your odds of being compromised by up to 99.9% by implementing multi-factor authentication (MFA). However, MFA can also lead to increase in complexity in terms of User Experience. This is leading us towards Passwordless authentication.
Password-less authentication is a form of multi-factor authentication that replaces the password with a secure alternative. The device creates a public and private key when registered. The private key can only be unlocked using a local gesture such as a biometric or PIN. Users have the option to either sign in directly via biometric recognition—such as fingerprint scan, facial recognition, or iris scan—or with a PIN that’s locked and secured on the device.
Let’s discuss some of the ways in which we can implement a Password less authentication:
Windows Hello for Business
Microsoft Authentication app
FIDO2 security keys
Introduced by Microsoft in Windows 10, Windows Hello uses biometric sensors or a PIN to verify a user’s identity. The Microsoft Authenticator app is a software token that allows users to verify their identity with a built-in biometric or a PIN when signing into their work or personal accounts from a mobile phone. You can now use portable FIDO2 hardware devices to log into a work machine or cloud services on supported devices and browsers.
| Windows Hello for Business | Microsoft Authenticator app | Fast Identity Online (FIDO) 2 security devices | |
|---|---|---|---|
| Pre-Requisite | Windows 10, version 1511 or later Azure Active Directory | Microsoft Authenticator app Phone (iOS and Android devices running Android 6.0 or above) | Windows 10, version 1809 or later Azure Active Directory |
| Mode | Platform | Software | Hardware |
| Systems and devices | PC with a built-in Trusted Platform Module (TPM) PIN and biometrics recognition | PIN and biometrics recognition on phone | FIDO2 security devices that are Microsoft compatible |
| User experience | Sign in using a PIN or biometric recognition (Facial, iris, or fingerprint) with Windows devices. Windows Hello authentication is tied to the device; the user needs both the device and a sign-in component such as a PIN or biometric factor to access corporate resources. | Sign in using a mobile phone with fingerprint scan, facial or iris recognition, or PIN. Users sign in to work or personal account from their PC or mobile phone. | Sign in using FIDO2 security device (biometrics, PIN, and NFC). User can access device based on organization controls and authenticate based on PIN, biometrics using devices such as USB security keys and NFCenabled smartcards, keys, or wearables. |
| Enabled scenarios | Password-less experience with Windows device. Applicable for dedicated work PC with ability for single sign-on to device and applications. | Password-less anywhere solution using mobile phone. Applicable for accessing work or personal applications on the web from any device. | Password-less experience for workers using biometrics, PIN, and NFC. Applicable for shared PCs and where a mobile phone is not a viable option (such as for help desk personnel, public kiosk, or hospital team). |
