I'm looking for effective multi-factor authentication (MFA) methods for Azure Admins that are resistant to phishing attacks. Our organization is fully Active Directory joined in a hybrid setup, and we haven't rolled out Windows Hello for Business. We're also not interested in purchasing FIDO2 security keys. Currently, I'm considering Microsoft Authenticator's app phone sign-in and passkeys. Do passkeys offer more security than the Microsoft Authenticator app, especially since they can be stored across multiple devices? Is there anything else I should consider?
5 Answers
Some folks underestimate the investment for FIDO2 keys. It’s not just a straightforward purchase; you’ve got ongoing costs for support, training, and managing the keys, which complicates things for IT.
I feel like the Microsoft Authenticator app isn’t fully phishing resistant. But if you're using passkeys stored in that app, it might provide more security. Just be careful when dealing with Conditional Access settings; you might lock yourself out if you're not cautious!
Actually, it can be secure if you ensure that passkeys are active within the Authenticator app. Just tread carefully with any settings changes.
I've seen many admins get locked out, so you're spot on with that warning! Always test things first.
Without FIDO2 keys, your main choices are phone-based MFA like Microsoft Authenticator or passkeys. Both can be configured to resist phishing, but here’s the catch:
- The Authenticator app ties access to a single device, which adds a layer of control but can backfire if someone misplaces their phone.
- Passkeys, on the other hand, can synchronize across multiple devices and are supported by both iOS and Android, making them user-friendly.
However, managing them can get tricky if one of the devices goes missing! Testing your Conditional Access policies before setting anything in stone is crucial.
So, if passkeys can be revoked, does that mean they stop working on all devices? That flexibility with not needing a specific app is a huge bonus for users.
Completely agree! The convenience of passkeys is a game changer. For that phone sign-in solution, the Authenticator app mandates that it’s installed – which can be burdensome for some.
There are quite a few options to consider here. First off, I’d reconsider the company’s stance on FIDO keys. Depending on how many admins you have, it shouldn't be more than around $500 for enough YubiKeys. You could also roll out Windows Hello for Business cloud trust for non-admin users. If that's not feasible, think about enabling number matching for web sign-ins. Smart cards and certificate-based authentication are also viable, but they involve some investment too.
We might pursue the WHFB cloud trust setup, but with no plans to Entra join any devices, the options narrow down. Given they’re skeptical about passkeys tied to software, FIDO keys might be the last resort.
Yeah, if the company doesn’t budge on software-based solutions, they could be left with just traditional MFA options.
Exactly! Plus, you have to deal with logistics like shipping and safeguards to stop users from setting weak PINs for their keys.