Passwordless Authentication with Microsoft Entra ID

Date Posted:

8 Jul 2025

Category:

Security

Passwordless Authentication with Microsoft Entra ID

Date Posted:

8 Jul 2025

Category:

Security

Passwordless Authentication with Microsoft Entra ID

Date Posted:

8 Jul 2025

Category:

Security

Implementing Passwordless Authentication with Microsoft Entra ID

Introduction

Passwordless authentication is a system to verify user identity that leverages modern methods of authentication to determine user authenticity in the place of passwords.

Traditional passwords are vulnerable to cyber threats and can be easily breached. A lot of users tend to use the same password across multiple accounts, and if one account is breached, it can expose their other accounts.

Many of the data breaches in organizations are due to user credentials being exposed. Removing the password from the authentication flow makes the system to be less likely to be breached to dictionary attacks, brute-force attacks, credential stuffing, & other cyber-attacks. Additionally, the user experience is improved as password fatigue and the resulting risky password management practices are eliminated.

Why Passwordless?

Going passwordless is a practical and safe way to manage your identity in today’s environment.

This authenticates users to their account with factors that can be difficult to steal & replicate such as items that a user might own (ex. Mobile device/security key) and characteristics part of the user (ex.biometrics)

Microsoft Entra ID is being used to create passwordless authentication, which simplifies user sign-in and enhance user security.

How We’re Implementing Passwordless

Microsoft Entra ID supports multiple passwordless methods. Here’s how we’re putting them to work:

I. Passkeys

Passkeys are an evolution of FIDO2 security standards, enabling users to authenticate using their device’s built-in biometrics (like Face ID, Windows Hello, or fingerprint).

Benefits:

  • Easy to use — no password to remember

  • Resistant to phishing attacks

  • Works on desktops, laptops, and mobile devices.

II. Windows Hello for Business

Windows Hello for Business is a key part of passwordless strategy involving Windows devices replacing passwords with strong two-factor authentication. Users sign in with a biometric gesture (like facial recognition or fingerprint) or a PIN that is tied to their device.


WHfB is tied to device-bound credentials on a Windows device. There’s no push notification to a separate mobile device — instead, the credential lives directly on the Windows PC and the user signs in with their local biometric gesture or PIN.

The biometric data never leaves the device, making it highly secure. Windows Hello for Business uses public key infrastructure (PKI) or certificate-based authentication, ensuring that credentials are not easily phished or reused.

Benefits:

  • Seamless sign-in experience for Windows devices

  • Strong, device-bound credentials

  • Enhanced compliance and security posture.

III. Microsoft Authenticator App

The Microsoft Authenticator app enables users to sign in without a password by approving a push notification on their phone.

How it works:
Here’s how the passwordless sign-in flow works with the Microsoft Authenticator app:

  1. The user enters their username.

  2. Microsoft Entra ID detects that the user has a strong credential and starts the strong credential flow.

  3. A push notification is sent to the app via Apple Push Notification Service (APNS) on iOS devices, or via Firebase Cloud Messaging (FCM) on Android devices.

  4. The user receives the push notification and opens the app.

  5. The app calls Microsoft Entra ID and receives a proof-of-presence challenge and nonce.

  6. The user completes the challenge by entering their biometric or PIN to unlock the private key.

  7. The nonce is signed with the private key and sent back to Microsoft Entra ID.

  8. Microsoft Entra ID performs public/private key validation and returns a token.

Benefits:

  • Familiar mobile experience

  • Easy rollout for employees

  • Supports additional MFA if needed.

IV. YubiKey Security Keys

The YubiKey is a physical device that provides strong authentication using various protocols, including FIDO2, which is the underlying technology for passkeys. For users who need an extra layer of physical security — or who don’t want to rely on a mobile device — FIDO2-compliant hardware security keys like YubiKeys are an excellent choice.

How it works:
Here’s what the passwordless sign-in flow looks like when using a YubiKey:

  1. The user plugs the FIDO2 security key into their computer.

  2. Windows detects the FIDO2 security key.

  3. Windows sends an authentication request.

  4. Microsoft Entra ID sends back a nonce.

  5. The user completes their gesture to unlock the private key stored in the FIDO2 security key's secure enclave.

  6. The FIDO2 security key signs the nonce with the private key.

  7. The primary refresh token (PRT) token request with signed nonce is sent to Microsoft Entra ID.

  8. Microsoft Entra ID verifies the signed nonce using the FIDO2 public key.

  9. Microsoft Entra ID returns PRT to enable access to on-premises resources.

Benefits:

  • Strong hardware-based protection

  • Phishing-resistant

  • No need for mobile apps or phone numbers

Conclusion

By removing traditional passwords, Users can enjoy quicker, seamless logins with reduced friction, no more forgotten passwords, and fewer locked accounts.

For businesses, passwordless authentication minimizes helpdesk inquiries, reduces costs linked to password resets, and enhances the overall security framework by making phishing attempts significantly less effective. Passwordless is not just a security enhancement — it’s an improved user experience.

Stay tuned to our blog to see more posts about

Sailpoint products implementation and its related updates.

Stay tuned to our blog to see more posts about

Sailpoint products implementation and its related updates.

Category:

Security

Stay tuned to our blog to see more posts about

Sailpoint products implementation and its related updates.

Stay tuned to our blog to see more posts about

Sailpoint products implementation and its related updates.

Category:

Category:

Security

Security

Get your

Tailored Quote for your

Organisation

Get your

Tailored Quote for your

Organisation

Implementing Passwordless Authentication with Microsoft Entra ID

Introduction

Passwordless authentication is a system to verify user identity that leverages modern methods of authentication to determine user authenticity in the place of passwords.

Traditional passwords are vulnerable to cyber threats and can be easily breached. A lot of users tend to use the same password across multiple accounts, and if one account is breached, it can expose their other accounts.

Many of the data breaches in organizations are due to user credentials being exposed. Removing the password from the authentication flow makes the system to be less likely to be breached to dictionary attacks, brute-force attacks, credential stuffing, & other cyber-attacks. Additionally, the user experience is improved as password fatigue and the resulting risky password management practices are eliminated.

Why Passwordless?

Going passwordless is a practical and safe way to manage your identity in today’s environment.

This authenticates users to their account with factors that can be difficult to steal & replicate such as items that a user might own (ex. Mobile device/security key) and characteristics part of the user (ex.biometrics)

Microsoft Entra ID is being used to create passwordless authentication, which simplifies user sign-in and enhance user security.

How We’re Implementing Passwordless

Microsoft Entra ID supports multiple passwordless methods. Here’s how we’re putting them to work:

I. Passkeys

Passkeys are an evolution of FIDO2 security standards, enabling users to authenticate using their device’s built-in biometrics (like Face ID, Windows Hello, or fingerprint).

Benefits:

  • Easy to use — no password to remember

  • Resistant to phishing attacks

  • Works on desktops, laptops, and mobile devices.

II. Windows Hello for Business

Windows Hello for Business is a key part of passwordless strategy involving Windows devices replacing passwords with strong two-factor authentication. Users sign in with a biometric gesture (like facial recognition or fingerprint) or a PIN that is tied to their device.


WHfB is tied to device-bound credentials on a Windows device. There’s no push notification to a separate mobile device — instead, the credential lives directly on the Windows PC and the user signs in with their local biometric gesture or PIN.

The biometric data never leaves the device, making it highly secure. Windows Hello for Business uses public key infrastructure (PKI) or certificate-based authentication, ensuring that credentials are not easily phished or reused.

Benefits:

  • Seamless sign-in experience for Windows devices

  • Strong, device-bound credentials

  • Enhanced compliance and security posture.

III. Microsoft Authenticator App

The Microsoft Authenticator app enables users to sign in without a password by approving a push notification on their phone.

How it works:
Here’s how the passwordless sign-in flow works with the Microsoft Authenticator app:

  1. The user enters their username.

  2. Microsoft Entra ID detects that the user has a strong credential and starts the strong credential flow.

  3. A push notification is sent to the app via Apple Push Notification Service (APNS) on iOS devices, or via Firebase Cloud Messaging (FCM) on Android devices.

  4. The user receives the push notification and opens the app.

  5. The app calls Microsoft Entra ID and receives a proof-of-presence challenge and nonce.

  6. The user completes the challenge by entering their biometric or PIN to unlock the private key.

  7. The nonce is signed with the private key and sent back to Microsoft Entra ID.

  8. Microsoft Entra ID performs public/private key validation and returns a token.

Benefits:

  • Familiar mobile experience

  • Easy rollout for employees

  • Supports additional MFA if needed.

IV. YubiKey Security Keys

The YubiKey is a physical device that provides strong authentication using various protocols, including FIDO2, which is the underlying technology for passkeys. For users who need an extra layer of physical security — or who don’t want to rely on a mobile device — FIDO2-compliant hardware security keys like YubiKeys are an excellent choice.

How it works:
Here’s what the passwordless sign-in flow looks like when using a YubiKey:

  1. The user plugs the FIDO2 security key into their computer.

  2. Windows detects the FIDO2 security key.

  3. Windows sends an authentication request.

  4. Microsoft Entra ID sends back a nonce.

  5. The user completes their gesture to unlock the private key stored in the FIDO2 security key's secure enclave.

  6. The FIDO2 security key signs the nonce with the private key.

  7. The primary refresh token (PRT) token request with signed nonce is sent to Microsoft Entra ID.

  8. Microsoft Entra ID verifies the signed nonce using the FIDO2 public key.

  9. Microsoft Entra ID returns PRT to enable access to on-premises resources.

Benefits:

  • Strong hardware-based protection

  • Phishing-resistant

  • No need for mobile apps or phone numbers

Conclusion

By removing traditional passwords, Users can enjoy quicker, seamless logins with reduced friction, no more forgotten passwords, and fewer locked accounts.

For businesses, passwordless authentication minimizes helpdesk inquiries, reduces costs linked to password resets, and enhances the overall security framework by making phishing attempts significantly less effective. Passwordless is not just a security enhancement — it’s an improved user experience.

Next Blog

Next Blog

Next Blog