Is It Possible To Go Passwordless? Experimenting With Temporary Access Pass in AzureAD

In my non-work conversations with friends and family, it seems there is a general growing awareness of the need to improve their security posture with their online accounts. Most people seem to have one or more of the following things in play:

  • A strong password
    • Gone are the days of simplistic or guessable passwords – most understand the next for a reasonably complex password.
  • A Passphrase
    • Instead of a complex, hard to remember password (e.g. w90ep8[5={h]U:OJ), a few people I know are moving to longer, but more memorable, passphrases (e.g. ILike$unnyDaysInMarch2!)
  • Single use passwords/passphrases for different websites/applications
    • No longer are they using a single, shared password/passphrase across their entire digital life
    • This is good, but can lead to difficulty remembering passwords, which leads to my next point
  • A Password Manager
    • Lots of great free/low cost options online to store unique, complex passwords and make them available either via a browser plugin/extension or mobile app on the smart phone of choice.
  • MultiFactor Authentication (MFA)
    • Perhaps the gold standard for account protection, adding MFA to an existing password/passphrase massively increases the protection of the account against unauthorized access.
    • Increasingly, more and more personal and professional services allow you to turn on stronger account protection with MFA

The above are excellent and I encourage you to implement these yourself if you’ve not already embraced a combination of them for your digital life. With that said, there is a growing trend to move away from passwords altogether and instead use alternative means of authentication to achieve this. From a Microsoft Azure Active Directory (AAD) perspective, this is enabled by a few different technologies and I read this week of the general availability of the Temporary Access Password (TAP) to enable the secure onboarding of a new user into a directory without ever providing them with a permanent password. You can read about this here. The end state of a passwordless environment could look like this:

“…We use the MS Authenticator for passwordless sign in. That is the only way employees can access resources. Enrollment is based on TAP, and we do not hand over a traditional password to the users…” – Global Toy Manufacturer, EU 

Secure authentication method provisioning with Temporary Access Pass – Microsoft Tech Community

I decided I’d give this a go and see how easy it was to configure. I did run into a few hiccups so worth reading to see how you can avoid my mistakes!

Getting Started

Security is always a balancing act between convenience and robustness of the security measures.

Understanding the options for passwordless authentication and what is right for your organisation is important and you can read about this here. I generally like a combination of Windows Hello for Business which works great on a device with a camera that can do facial recognition or a fingerprint scanner, combined with the Microsoft Authenticator App configured and ready to go. If you’re going to settle on the Authenticator App, then this documentation is the starting point for you. Your pre-requisites for getting this working will be:

  • AzureAD MFA with push notifications allowed as a verification method
  • Authenticator App installed on your mobile device
  • The mobile which has the Authenticator App installed on it must be registered with the AzureAD tenant to an individual user
    • I am making this one in bold early on as this is what caught me out. I tried to use the Authenticator App on my primary mobile phone that also does passwordless authentication for my primary work account – whilst I could add my test account to Authenticator I could not register this phone with my test tenant. This meant that I was not able to truly test Passwordless and I went around in circles until I recognized this and set up Authenticator App on a spare Android smartphone I had (Pro Tip: a friend told me they use an Android Emulator on Windows to get around this issue – smart!)
  • Optional: if you’re wanting to test this out rather than implementing it organization wide, you may want to create a Security Group in AzureAD with a subset of users who you assign this policy to for testing.

Enable Passwordless Phone Sign-in Authentication Methods

First, sign into AzureAD Admin Portal with a sufficiently credentialed user. I then created the Security Group and added two users (make sure they’re licensed correctly to support this):

You then need to browse to the Security –> Authentication Methods (direct link here) and make sure you turn on the two policies for Microsoft Authenticator and Temporary Access Pass:

I scoped the functionality for both policies down to the “Temp Password User Group” I created so that this would not affect the majority of users in my tenant:

Create A Temporary Access Pass

The documentation to create a Temporary Access Password Policy is outlined here, and again I’ve scoped this down to my Security Group for testing. It is possible to edit the complexity of this temporary password as well which might require some consideration depending on how you’re going to distribute it (e.g. over a phone call to a remote user, or in a help desk scenario):

With the policy in place, creating a Temporary Access Pass is easy, simply find the user in AzureAD, go to their Authentication Methods, and choose to “Add Authentication Method” selecting Temporary Access Pass:

Helpfully, the TAP is shown on screen AND a link to the URL (https://aka.ms/mysecurityinfo) where they should sign in and register their devices and Authenticator App:

I want to point out again here that it is absolutely critical that the user completes the phone registration during this process. The steps are outline below (I’ve underlined and italicized #5 as key):

  1. Browse to https://aka.ms/mysecurityinfo.
  2. Sign in, then click Add method > Authenticator app > Add to add Microsoft Authenticator.
  3. Follow the instructions to install and configure the Microsoft Authenticator app on your device.
  4. Select Done to complete Authenticator configuration.
  5. In Microsoft Authenticator, choose Enable phone sign-in from the drop-down menu for the account registered.
  6. Follow the instructions in the app to finish registering the account for passwordless phone sign-in.

A key point to understand here is that you can only use a single phone/Authenticator app for passwordless sign in on a unique work/school account:

A phone must be registered to a single work or school account. If you want to turn on phone sign-in for a different work or school account, you must unregister your account from this device through the Settings page.

Signing Into Brand New Windows Device With Passwordless Authentication

One of the really cool things with passwordless authentication is that this can be extended to Windows sign in as well. Usually, this would be combined with Windows Hello for Business as mentioned earlier, but if you have a brand new device that you are going to AzureAD Join then you can do this without needing a password. So what does this look like?

First, when prompted to setup a device for work or school, you need to choose this option:

Enter your full organization email address:

Since the user has already been configured for Passwordless Authentication via the Microsoft Authenticator App, no password is prompted for, instead the push notification to the phone takes place:

On my phone I’m asked to match the number on screen:

A few minutes later I have a working desktop, having never entered a password.

Based on organizational policy, it’s usually a good time during the setup to force the Windows Hello for Business configuration (instructions here). If you go to Account Settings you can see that the user is signed in and the device is joined to AzureAD:

Final Thoughts

The Education Industry is often complex and implementing security measures around identity and authentication can be challenging when not all users would have a phone for MFA (students for example). That said, senior leaders are often provided a phone by the institution and would be strong candidates to move towards a passwordless approach to protect the information they have access to securely.

It’s clear that a lot of work has been done in the background to make Temporary Access Pass relatively simple to implement and combined with Microsoft Authenticator App the experience for the end user is very simple too. Again, this is critical as reducing the friction for users to ‘get started’ or ‘get on with their jobs’ is key from an IT perspective and ensuring that there are robust security measures still in place is the balancing act for all IT and Security teams.

Embracing a passwordless approach might not be appropriate for all users in your organisation right now, but it’s definitely something to consider and trial for a smaller subset of users to provide maximum protection.

Have you already moved to Passwordless? I’d love to hear your experiences in the comments below.

I am always keen to discuss what I've written and hear your ideas so leave a reply here...

%d bloggers like this: