![]() ![]() So for a new starter instead of getting their temp password to them on day 1, you provision a Yubikey and get that to them. When someone first starts and hasn't set up their phone, or breaks their phone and has to set up a new one, that's when they use the FIDO2 key to log in. For those situations, you use the Authenticator app on your phone, which you have with you all the time. When you get a new PC or when you work from home, you need to do a full passwordless auth. You unlock the PC with your PIN, face or fingerprint. For the PC you use every day, there's Windows Hello for Business. The way I'm thinking about this is three stage. You need to open Authenticator, auth biometrically using face-id or touch-id and then approve the sign in request. That's only used when authenticating with password first and the OTP from the Authenticator app as the second factor.įor full passwordless a push notification is sent to the Authenticator app on your phone. It doesn't use the 6 digit OTP for passwordless. Is this possible? Anyone doing this? Am I missing something? Anyone have any insider knowledge for when Microsoft will add this natively to Azure AD ? Now, for mainstream (desktop + browser), you no longer provide a password anymore user always entier the 6 digit OTP from their Microsoft Authenticator app. ![]() ![]() Windows 10 desktop has Duo installed, and Duo is configured to use Azure AD MFA. User enables "phone sign in" (which registers their device in Azure AD). User installs and configures Microsoft Authenticator. Is anyone using something like Cisco's Duo - together with Azure AD MFA - to achieve this? under the "Passwordless sign-in to Windows for the first time with the Microsoft Authenticator app" heading.įIDO ("YubiKey") will be possible soon for hybrid Azure AD joined computers, but that's still a physical token that must be provisioned, replaced, gets lost and forgotten, etc (for all its other benefits). Wouldn't it be great at Windows 10 desktop logon, too? You can use Microsoft Authenticator to go passwordless (only providing the 6 digit OTP) to Office 365. If users don't use their passwords anymore, then they can't forget them, and can't be "phished" (simplifying). Very honourable, if a little brobdingnagian! Microsoft are on a mission to go passwordless. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |