Hey there! We're working on enhancing security for our admin accounts. I've already downgraded all global admins to standard user roles and provided them with new accounts that have global admin access, which should only be used for elevating privileges. As part of this process of securing admin accounts in M365, I'm also interested in setting up break glass accounts for added security.
Usually, our users rely on their passwords and the Microsoft Authenticator app, which generates a rotating 6-digit code or allows them to input a 2-digit number from their PC into the app.
My question is: Since the Microsoft Authenticator app also supports passkeys, how do these passkeys provide more security compared to the traditional rotating 6-digit codes we use for MFA? I understand that passkeys help guard against risks like SIM swapping on compromised devices, but I'm trying to wrap my head around how the two authentication methods coexist and why a QR code scan could be more secure than a password that changes every 30 seconds. I've been looking into YubiKeys too, but I wanted to start with this to build my understanding before moving on to more advanced authentication tools.
1 Answer
The main advantage of passkeys is that they're resistant to phishing attacks. Unlike traditional rotating 6-digit codes, which users can mistakenly give away or enter into a fraudulent site, passkeys require you to be physically present and are tied to specific logins. That means even if someone tries to trick you, they can't use your passkey unless you're right there with it! If you're curious about the tech behind it, there's a lot of fascinating information out there.
That's interesting! Would you consider replacing authentication codes altogether if your team is using the same app for everyone? Or would you opt for multiple authentication methods like passwords, passkeys, and authenticator codes?