People do not like passwords. They are prone to forgetting, being exposed and the biggest attack vector. Over time we have used passwords in both professional and personal lives, and we have learnt to use strong passwords.

In the dawn of a new era of advanced security controls for user data, passwords are no longer enough to guarantee security. Even the complex or string passwords can now be easily phished or hacked. The attack methods by bad actors have grown and become sophisticated. Now there are more threats facing user identities.

Even though passwords are familiar and an easy way to authenticate users, the costs associated with implementing and maintaining them now increasingly outweigh the benefits. New and existing threats like Spray, Credential Stuffing, and Brute-Force attacks are target passwords. According to the Microsoft 2018 Security research, more than 81% of hacking-related breaches were from stolen or weak passwords.

While the pandemic forced many organizations to adopt hybrid working, we must also remain vigilant and aware of the new threats that face our end-user identities, whether on-premises or cloud-managed.

Before we look at how you can make the authentication process less painful for your users, while maintaining a high level of security, let’s explore the available controls you can put in use for your Microsoft 365 environment.


Multi-Factor Authentication

Multifactor authentication (MFA) is an additional layer of security, to the sign-in process. It adds a verification step when users are signing into their accounts, applications, or devices. These additional methods can be a code sent to the user’s mobile number, an approval notification, or scanning their fingerprint to authorize the login.

There are several technologies that can be implemented organization-wide for MFA among them, Microsoft AuthenticatorWindows Hello for businessFIDO security keys, SMS and Voice. Having second-factor authentication methods configured for your environment, to a large extent reduces the likelihood of successful attacks targeted to your end-users. According to Verizon’s 2018 Data Breach Investigations Report, business user identities are more than 99.99% less likely to be compromised when using MFA.

With the above controls in place, you have a better chance of eliminating some of the most obvious attacks against passwords. However, password support and its maintenance still cover a big chunk of enterprise’s budgets. To mitigate against these costs and reduce the complexities that might come with Multi-Factor authentication, businesses can go a step further to implement password-less authentication.

Password-less authentication makes use of the already existing device fleet and biometrics within those devices (fingerprint readers, webcams, smartphones, etc) to process authentication. It aims to promote the use of PINs, cryptography keys, and biometrics to replace passwords, with more convenience. Users will no longer have to memorize their passwords.


Read more: Are you scratching the surface of Microsoft 365 security?


Identity is the new security

We are aware that different organisations have different authentication requirements. These requirements form the basis for choosing the right password-less technology to implement and adopt. Microsoft offers the following methods that businesses can choose from;


1.     Windows Hello for Business

Windows Hello has been around for a while and most of us are familiar with it. It allows users’ identity to be tied to a Windows 10 device and users are able to sign in using a biometric – face recognition, fingerprint, iris scan, or a PIN. These options replace the user’s account password with biometric data to authenticate to the device, enterprise applications, and any other assigned resources.

2.     Microsoft Authenticator app

With the Microsoft Authenticator app, users are able to verify their identities using their mobile phone’s biometrics or PIN. Users are required to first register their password-less enabled accounts, work or personal, with the app. After that, new logins are verified by approving a push notification or a one-time passcode sent to the app. Users can confirm authentication by either face scan, fingerprint, or PIN to complete authentication.

3.     FIDO2 security keys

Fast Identity Online (FIDO) on the other hand, uses hardware-based keys to replace passwords. They can be USB, Bluetooth, or NFC-enabled smart cards. They offer a strong authentication option without the use of passwords. Once users register FIDO2 security keys, they can use them in Azure AD joined devices, as well as signing in to resources through supported browsers. There are different FIDO security keys providers that support Microsoft online services and Windows devices.


Read more: Identity is the new security


The journey to password-less authentication

One of the major concerns regarding the implementation of password-less approaches is the complexity and end-user impact, mostly in terms of cost. Businesses are conscious of the challenges and operations disruptions these deployment methodologies might come with.
While the end goal of applying password-less authentication is to remove or reduce the use of passwords for users’ identities, it requires these organizations to have the right technology to support it. It also requires well-crafted change management and adoption plan. Having a good partner becomes handy to help plan the roadmap and ease out its implementation.
Over and above this, you will enjoy the benefits below, from password-less authentication implementation;

  • Reduced costs in the long run

Businesses will not need to spend a big chunk of their IT budget towards password resets and management. A lot of time and effort can be saved (or re-assigned to other areas) by support teams that is rather used for handling password-related inquiries.


  • Improved User Experience

The average user has about 70-80 passwords. This can be overwhelming to remember all and therefore users end up re-using the same passwords. With password-less authentication, users won’t have to memorize or store strong passwords. It is seamless and will allow users to authenticate to company resources faster, saving time.


  • Increased Security Posture

With password-less authentication, businesses will not need to worry about breaches resulting from password theft or compromises from weak passwords. You will be protected against password-related attacks like Brute-Force, Phishing, or Password Spraying. The new improved authentication methods rely on unique PINs or biometrics, which are not easy to fake or replicate.


Start using password-less authentication

FITTS is ready to take you through your password-less journey, contact us today for support with your user multi-factor authentication or security posture.