Let’s discuss the New Entra Phishing Resistant Passwordless Authentication. Microsoft introduced a new passwordless authentication method for Microsoft Entra to resist phishing. This innovation helps users to secure their organizations.
As you know, phishing is the most critical form of spam in the cyber world. Attackers try to trick users into revealing sensitive information or granting permissions to malicious applications. Passwords are the primary attack vector for modern adversaries and a source of friction for users and administrators.
Microsoft Entra follows a Zero-Trust Security strategy, which uses principles like least-privileged access, explicit verification, and assuming breach to protect user data and accounts. Passwordless Authentication feature in entra is also a part of the Zero Trust strategy.
Microsoft recommends users move to phishing-resistant passwordless authentication solutions. In this post, I will explain Entra Passwordless Authentication and help you select and prepare the right phishing-resistant passwordless credentials for your organization.
Table of Contents
New Entra Phishing Resistant Passwordless Authentication
Entra’s Phishing-Resistant Passwordless Authentication methods are more convenient. Other authentication methods, like multifactor authentication (MFA), are a great way to secure your organization. However, users often get frustrated with the extra security layer on top of their need to remember passwords.
An analysis of Microsoft consumer accounts shows that sign-in with a password can take up to 9 seconds on average, but passkeys only take around 3 seconds in most cases. Passkey sign-in is easier and faster than a traditional password and MFA sign-in. Passkey users don’t need to remember their password or wait around for SMS messages.
- Native Authentication for Microsoft Entra External ID | Complete Control Over Login Experience
- How to Setup Passwordless Login for Microsoft Accounts
- Entra External ID Now Supports SMS as an MFA Option
Advantages of New Entra Phishing Resistant Passwordless Authentication
This authentication method Protects one of the attackers’ most common entry points by going passwordless. It provides many advantages.
- Phishing-resistant passwordless methods also have extra security baked in.
- They automatically count as MFA by using something that the user has (a physical device or security key) and something the user knows or is, like a biometric or PIN
- Phishing-resistant passwordless methods deflect phishing attacks against your users using hardware-backed credentials that can’t be easily compromised.
Microsoft Entra ID offers 2 types of phishing-resistant passwordless authentication options. There are Passkeys (FIDO2) and Certificate-based authentication/smart cards. The following table shows the (FIDO2) authentication options.
| Different Authentication options |
|---|
| Windows Hello for Business |
| Platform credential for macOS (preview) |
| Microsoft Authenticator app passkeys (preview) |
| FIDO2 security keys |
| Other passkeys and providers, such as iCloud Keychain |
- New Entra SSO and Device Management Dialog – Allow my Organization to Manage this Device Option is Enabled
- New Request Access Package On Behalf of Other Users Features in Entra ID to Improve Onboarding Experience
- Top 40 Microsoft Entra Interview Questions and Answers Modern Identity and Access Management Solution
Prerequisites Entra Passwordless Authentication
You must consider some prerequisites before starting your Microsoft Entra phishing-resistant passwordless deployment project. The following list shows the prerequisites.
- Review license requirements
- Review the roles needed to perform privileged actions
- Identify stakeholder teams that need to collaborate
License Requirements
Registration and passwordless sign-in with Microsoft Entra don’t require a license. Still, we recommend at least a Microsoft Entra ID P1 license for the complete set of capabilities associated with a passwordless deployment.
Integrate Apps with Microsoft Entra ID
Microsoft Entra ID is a cloud-based Identity and Access Management (IAM) service that integrates with many types of applications, including Software-as-a-Service (SaaS) apps, line-of-business (LOB) apps, on-premises apps, and more. You must combine your applications with Microsoft Entra ID to benefit most from your investment in passwordless and phishing-resistant authentication.
Join the LinkedIn Page and Telegram group to get the latest step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, Join the WhatsApp Community to get the latest news on Microsoft Technologies. We are there on Reddit as well.
Author
Anoop C Nair has been Microsoft MVP from 2015 onwards for 10 consecutive years! He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is also a Blogger, Speaker, and Local User Group Community leader. His primary focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career, etc.