Skip to content

Home

An Agile Refresh Of The Passwordless Strategy

Background

The Microsoft passwordless strategy guidance has existed since 2018, and since then it’s continued to be a solid document. You can view the full doc here, Password-less strategy – Windows security | Microsoft Docs, but where the focus usually lands is on the four-step graph at the top of that page:

Figure 1

The Microsoft passwordless strategy

When discussing the strategy with organizations, the focus is usually on Step 1 – develop (deploy) password replacement offerings, and the technology involved, such as Windows Hello for Business, FIDO2 security keys, and MS Authenticator App passwordless sign-in. After all, the strategy is provided as a stepped approach, so you start with the first step, and then move on.

There are three primary issues with the approach:

  • Organizations look at this as a reinforcement that passwordless must be deployed in a waterfall approach.
  • Application authentication modernization is not emphasized strongly enough, and subsequently organizations do not right-size the efforts required.
  • Organizations do not emphasize the pluralization on offerings, and potentially focus on the requirement of one-size-must-fit-all.

While issue three is not specific to this approach as designed, many organizations will take the waterfall approach with a single solution, and then box themselves into only deploying one solution, slowing down progress.

  • in MFA
  • 4 min read

Authenticator App: IOS Multiple Passwordless Account Support Is Here!

For anyone who lives in a world of multiple Azure AD accounts and the Authenticator App, you can finally rejoice over not having to make the difficult decision over which account is the one you enable for passwordless… or potentially not having to carry multiple devices.

To date, you could enroll one Azure AD account and one personal Microsoft Account (MSA) for passwordless in the Authenticator App. Even with multiple Azure AD accounts in the same tenant, only one could go passwordless.

With this update, not only can you go passwordless for multiple accounts in the same Azure AD tenant, but across multiple tenants as well.

Azure AD: Which SSO Is The Right SSO?

It’s great having choices, except when you are not sure which choice to make.

For organizations that are on a hybrid journey with Azure AD, the question of single sign-on (SSO) almost always comes up. And with that, people turn to the documentation with questions. Do we need hybrid join? Do we need Azure AD Seamless SSO? Do we need both? Can we configure both? Why isn’t hybrid join listed as an SSO mechanism in the docs? If hybrid join is preferred, why does Azure AD Seamless SSO mention seamless, isn’t it better?

While there is one paragraph contrasting the two choices in the docs, Azure AD Connect: Seamless Single Sign-On – Microsoft Entra | Microsoft Docs, the question still comes up often. Which brings us here – gaining clarity on the SSO choices for Azure AD. To keep the article focused, we are going to be exploring SSO for corporate owned and managed Windows devices that are joined to an Active Directory domain.

And for the camp out there that firmly believes everything should just go straight to Azure AD Join (AADJ), and forget hybrid… this article is for those that have their reasons to stay with hybrid join for the moment. Even though you should go cloud-native with AADJ.

Azure AD: FIDO2 Security Key Roundup And Review

Note

This is a stub for a post, the content has been moved to https://www.fido2reviews.com

This page previously had reviews for the following, which can now be found on https://www.fido2reviews.com

  • AuthenTrend ATKey.Card
  • Feitian ePass K9
  • Feitian MultiPass K16
  • Feitian MultiPass K32
  • Feitian BioPass K27
  • Feitian Fingerprint Card
  • GoTrust Idem Card
  • GoTrust Idem Key
  • Hypersecu HyperFIDO
  • Identiv uTrust FIDO2 NFC
  • Kensington VeriMark Guard
  • SoloKeys Solo 1 Tap
  • Thetis FIDO2 Security Key
  • Token2 T2F2-Bio
  • Token2 T2F2-mini
  • Token2 T2F2-NFC-Slim
  • TrustKey T110
  • TrustKey G320H
  • Yubico YubiKey 5 NFC
  • Yubico YubiKey 5C
  • Yubico YubiKey 5 Nano
  • Yubico YubiKey Bio – FIDO Edition

World Password Day

Forget passwords. Passwords are garbage. To celebrate World Password Day, I’m curating blog articles that can help organizations on their passwordless journey.

While much of the Microsoft documentation on passwordless is quite good, it can tend to be overwhelming at times; the hope is to give you some great leads on some clear, step-by-step instructions on how to get you from a password-filled to a passwordless world in Active Directory and Azure AD.

With each link, I’ve provided a rough time estimate for how long the process should take, given a dedicated effort. There may always be the fringe case or two where passwordless is more complex – if your existing environment has things such as AD FS and using smartcards, or has DC’s older than 2016, you have a bunch of Macs in your environment, as examples. It always helps to review the documentation, which I also link to.