Good afternoon! I'm planning to roll out Self-Service Password Reset (SSPR) at my organization and wanted to gather some insights. Our goal is to move towards a passwordless experience, but we still have some legacy applications that require Active Directory (AD) passwords.
All our devices are fully Entra Joined, with identities synced from our on-prem domain, and we have password writeback enabled along with hash sync. Laptop users utilize Windows Hello for Business (WHfB), and our shared devices use YubiKeys, which have been functioning well. However, users sometimes forget their passwords, especially for legacy apps and when trying to access from personal mobile devices. We're hoping to provide everyone with a YubiKey for passwordless NFC authentication, as not all users are comfortable with the authenticator app.
For SSPR, I've configured it to require two methods. Every user either has a hardware token or uses the Authenticator app, which is provided by the company as the primary option. For the second method, I'm considering implementing SMS. While some users are hesitant, many others are okay with using it on their personal devices.
So, my question is: Is it acceptable to use SMS as one of the SSPR methods in conjunction with either the Authenticator app or a hardware token? I want to clarify that SMS would solely be for SSPR and not for login purposes. I would love to hear how others have handled this!
5 Answers
Honestly, I don’t recommend SMS at all. If a user can't access their tokens or devices, they should reach out directly to IT and get a Temporary Access Pass (TAP).
I'd take SMS over needing to contact help desk staff any day! Help desk compromises happen regularly and have been involved in some big breaches.
In the sectors I'm working (Healthcare and Financial), we use SMS alongside the Authenticator app. Just keep in mind that if someone manages to compromise both at once, that's a bigger threat. Make sure your Conditional Access policies are set properly to avoid using SMS too broadly since Microsoft's combined authentication blade can be misconfigured easily.
Thanks for the insight! I've actually set up a custom authentication strength to only allow certain secure methods, including Windows Hello and Microsoft Authenticator.
You can definitely use the Authenticator app combined with email. However, be cautious! Email is often the first target in identity theft cases. If someone compromises the email, they can get access to MFA codes and sit quietly until they exploit everything.
That's true, I personally think email is riskier than SMS, but maybe I'm mistaken. It would be great to have safer options, though.
I think SMS is a decent option for some use cases, though I understand its limitations. But you really should be looking into alternatives for better security if possible!
SMS isn’t a strong authentication method. Sure, it’s not easy to guess SMS codes, but compromising SMS typically involves the telco, which isn’t easy or common. While there are better methods, SMS can still be a solid choice in certain situations.
I get where you're coming from, and I’m still learning as a new admin. I thought SSPR was about making it easy for users to reset passwords while keeping security strong. Can TAP even be a viable option?