I'm looking for alternatives to secure multi-factor authentication (MFA) for Azure administrators, especially since our organization hasn't rolled out Windows Hello for Business yet and is fully Active Directory (AD) joined without any Entra joined devices. The management isn't interested in purchasing FIDO2 security keys right now, so I'm considering options like the Microsoft Authenticator app for phone sign-in and passkeys. My main concerns are whether these passkeys can be more secure than the phone sign-in method and how they're tied to devices. Can anyone provide insights on this?
4 Answers
If you're not going with FIDO2 keys, you're left with phone-based MFA or passkeys. Phone sign-in for the Authenticator app connects to one device—good for control but a hassle if users lose their phones. Passkeys are versatile, but lost devices can complicate management and revocation.
And remember, if passkeys are synced across devices, revocation should still protect you universally.
You have a few options! If FIDO keys are out, you might want to push for WHFB cloud trust or set up number matching for regular users. I'd also consider smart cards and CBA, but those might come with more costs and complexity.
Yeah, WHFB sounds good, but just remember, no Entra devices means you’re limited. If phone sign-in isn’t secure, what are the alternatives?
True, and if users are nervous about apps, passkeys could be a great fit since they’re supported by both iOS and Android natively.
In my experience, the Microsoft Authenticator app isn't considered fully phishing resistant. While it can be used with passkeys for better security, relying solely on the app phone sign-in could leave you vulnerable if not set up with strong Conditional Access controls. Definitely something to think about!
I actually think it is safe if you’re using passkeys with the Authenticator app. Just make sure to configure everything properly!
I’d still be cautious. Just enabling multi-factor authentication isn’t enough if it has weak ties to user devices.
Phone-based MFA via the Authenticator app is less secure and can be easily phished. I'd recommend going with passkeys as a much safer option overall.
Agreed, passkeys definitely provide a stronger defense against phishing.
So what's necessary for the Authenticator app to gain that phishing-resistant stamp of approval?
Exactly! It’s all about balance—passkeys make things easier for users since they don’t need extra apps.