A Comprehensive Guide to Passwordless Authentication Using Authenticator App
Discover the concept behind Passwordless Authentication and how authenticator app revolutionize the way we verify identities. Explore the advantages of this approach, including heightened security measures, seamless user experience, and the elimination of password-related risks.
Table of Contents
Watch the video
To learn What is Passwordless Authentication and how to implement passwordless authentication using Microsoft Authenticator App, please watch this video on our YouTube channel.
What is Passwordless Authentication
Usually, users use their username and password to login to an application.
But Passwordless Authentication is more convenient way to login. It let’s users to login to an application without passwords. Instead of passwords, they can use either Microsoft Authenticator app, they can use a security key, or even they can use Windows PIN.
So that means, when passwordless authentication is enabled and when user will try to login to an application, he will not be required to enter his password. We will discuss this practically as well and things will be more clear.
Azure Active Directory (Microsoft Entra ID) offers multiple passwordless authentication options. Like, Authenticator app, FIDO 2 Security Key, and Windows Hello.
In this particular demo, we will setup passwordless authentication using Microsoft Authenticator App.
Background Process
Let’s understand what exactly happens in the background when a user is authenticated using Microsoft Authenticator app instead of password.
- When a user will try to access an application, he will enter his username.
- The request will go to Azure Active Directory (Microsoft Entra ID). Azure Active Directory will find that this user has passwordless authentication enabled with authenticator app. If the user is using IOS device, a notification will be sent to the Authenticator app on his mobile using Apple Push Notification Service. And if user is using Android device, the notification will be sent using Firebase Cloud Messaging. As soon as user will receive the notification, he will open the authenticator app on his mobile.
- Then Authenticator App will connect to Azure Active Directory (Microsoft Entra ID). And will receive a proof-of-presence challenge along with authorization token.
- Then user will complete the challenge by entering his PIN to unlock the private key.
- In the next step, the authorization token that was sent by Azure AD, will be signed with private key, and will be sent back to Azure AD.
- Azure AD will perform public and private key validation, and will send the Access Token. And the user will be able to login to the application.
So this how Passwordless Authentication works with Microsoft Authenticator App.
Prerequisites for Passwordless Authentication
Now let’s talk about the prerequisites those are required to be met in order to use passwordless authentication in your Azure AD organization.
- In order to use passwordless authentication you need Microsoft Entra ID P1 license.
- You need to install the latest verion of Microsoft authenticator app on your IOS or Android device.
- If you are using Android device, you need to register the user’s account on Authenticator App. And if you are using IOS device, that device should be registered with the Tenant.
- You would required a Global Administrator account to enable Passwordless Authentication.
Setup Passwordless Authentication using Authenticator App
To configure passwordless authentication, you will go to Azure AD > Security > Authentication Methods > Policies. Here you will see all the authentication methods those are available for Passwordless Authentication.
But for this demo we are going to enable passwordless authentication using Authenticator App. So we click on Microsoft Authenticator.
Click Enable, and under Target either select All Users or Select users. If you want to enable passwordless authentication for all users in your organization, select All Users. And if you want to turn on this feature for specific users (group of users), then click Select users. You need to create a security group if you are going to turn on this feature for a set of users.
After creating a security group, click Select users and add the security group. Once this process is completed, Microsoft Authenticator will show Yes under Enabled.
Now the next step is, the end-users will have to Add Microsoft Authenticator App as an authentication method.
Ask user to login to Microsoft 365 Portal, click your profile at the top right of the screen as shown below and click View account.
Click Security Info and click Add sign-in method, select Authenticator app, and click Add.
Go to Mobile phone, install Microsoft Authenticator app, tap on Add Account, and then Work or school account. Select Scan a QR code, scan the QR code that is shown on your computer and follow the instructions.
Test Passwordless Authentication using Authenticator App
Open a browser in incognito mode and go to Microsoft 365 portal. Type the username of the user and click Next.
Now instead typing your password, click Use an app instead. On the next screen you will see a number on your screen as shown below:
Go to your mobile, click on the notification that is displayed on your mobile (if you do not see notification, click the account that you added while setting up the authenticator app), and enter the code shown on your screen.
That’s it! You are logged in without typing your password.
Related articles
We welcome you to browse our other blogs on Azure Active Directory:
What is Azure Active Directory
What is Self Service Password Reset
Top 40+ Azure Active Directory interview questions and answers
Azure AD Multi-Factor Authentication and Security Defaults
Users and Groups in Azure AD
Simple steps to add domain in Azure Active Directory
Happy Learning!!