Passwordless Authentication with Microsoft Entra ID
Date Posted:
8 Jul 2025
Category:
Security
Passwordless Authentication with Microsoft Entra ID
Date Posted:
8 Jul 2025
Category:
Security
Passwordless Authentication with Microsoft Entra ID
Date Posted:
8 Jul 2025
Category:
Security
Implementing Passwordless Authentication with Microsoft Entra ID
Introduction
Passwordless authentication is an security approach that steps away from traditional passwords and multi factor authentication and aims at using modern authentication methods to verify a user’s identity and authenticate to systems.
Traditional passwords are vulnerable to cyber threats and can be easily breached. Many of the data breaches in organizations are due to user credentials being exposed. Many users reuse the password between different accounts at times making slight variations that can serve as an attack vector for compromising user accounts.
Removing the password from the authentication flow makes the system to be less likely to be breached to dictionary attacks, brute-force attacks, credential stuffing, & other cyber-attacks, thereby improving user experience as they won’t have to go through the hassle of remembering passwords and eliminating high risk password management practices.
Why Passwordless?
In today’s world, a passwordless approach will help safeguard against malicious attacks providing a practical and safe way to manage identity data in an organization.
This authenticates users to their account with factors that can be difficult to steal & replicate such as items that a user might own (ex. Mobile device/security key) and characteristics part of the user (ex.biometrics)
Microsoft Entra ID is being used to create passwordless authentication, which simplifies user sign-in and enhance user security.
How We’re Implementing Passwordless
Microsoft Entra ID supports multiple passwordless methods. Here’s how we’re putting them to work.
I. Passkeys
Passkeys are an evolution of FIDO2 security standards, enabling users to authenticate using their device’s built-in biometrics (like Face ID, Windows Hello, or fingerprint).
Benefits:
No password required to create or use passkeys.
Resistant to phishing attacks
Works on desktops, laptops, and mobile devices.
II. Windows Hello for Business
Windows Hello for Business is a secure method to enable the passwordless strategy on Windows devices stepping away from passwords. Instead of typing in the password, users use a biometric gesture (such as face recognition or fingerprint) or a PIN that is tied to their device to sign in to the Windows devices.
The credentials reside on the Windows PC (not on the cloud server) and the user signs in with their local biometric gesture or PIN. Windows Hello for Business leverages pPblic key infrastructure (PKI) or certificate-based authentication, ensuring that credentials are not easily phished or reused.
Benefits:
Seamless sign-in experience for Windows devices
Strong, device-bound credentials
Enhanced compliance and security posture
III. Microsoft Authenticator App
The Microsoft Authenticator app enables users to sign in without a password by approving a push notification on their phone.
How it works:
Here’s how the passwordless sign-in flow works with the Microsoft Authenticator app:
The user enters their username.
Entra ID validates the user credentials and initiates the authentication flow.
A push notification is sent to the app via Apple Push Notification Service (APNS) on iOS devices, or via Firebase Cloud Messaging (FCM) on Android devices.
The user receives the push notification and opens the app.
The app calls Microsoft Entra ID and receives a proof-of-presence challenge and nonce.
The user completes the challenge by entering their biometric or PIN to unlock the private key.
The nonce is signed with the private key and sent back to Microsoft Entra ID.
Entra ID returns an access token after validating the signed nonce.
Benefits:
Familiar mobile experience
Easy rollout for employees
Supports additional MFA if needed.
IV. YubiKey Security Keys
YubiKey is a physical hardware key, which provides secure user authentication making it complex to extract your secret. It follows Fido and other similar protocols making it phishing resistant and while ensuring verification of domain before authentication. This ensures that the device can only be unlocked by the user who owns it.
To pass the authentication challenge insert the YubiKey to the device or simply tap the key to the device via nfc. It’s like how a person uses a key to unlock their house door which in this case is the door to the users’ account and sensitive information.
How it works:
Here’s what the passwordless sign-in flow looks like when using a YubiKey:
The user plugs the FIDO2 security key into the computer.
Windows detects the FIDO2 security key.
Windows sends an authentication request.
Microsoft Entra ID sends back a nonce.
The user completes their gesture to unlock the private key stored in the FIDO2 security key's secure enclave.
The FIDO2 security key signs the nonce with the private key.
The primary refresh token (PRT) token request with signed nonce is sent to Microsoft Entra ID.
Microsoft Entra ID verifies the signed nonce using the FIDO2 public key.
Microsoft Entra ID returns PRT to enable access to on-premises resources.
Benefits:
Strong hardware-based protection
Phishing-resistant
No additional mobile devices are required to authenticate.
Conclusion
Passwordless is not just a security enhancement — it’s an improved user experience.
Organizations can streamline sign-in experience for users by reducing the hassle of remembering passwords and reducing password fatigue. As passwords don’t have to be entered, there will be fewer password resets due to forgotten passwords thereby reducing costs.
Stay tuned to our blog to see more posts about
Sailpoint products implementation and its related updates.
Stay tuned to our blog to see more posts about
Sailpoint products implementation and its related updates.
Category:
Security
Stay tuned to our blog to see more posts about
Sailpoint products implementation and its related updates.
Stay tuned to our blog to see more posts about
Sailpoint products implementation and its related updates.
Category:
Category:
Security
Security
Get your
Tailored Quote for your
Organisation
Get your
Tailored Quote for your
Organisation
Implementing Passwordless Authentication with Microsoft Entra ID
Introduction
Passwordless authentication is an security approach that steps away from traditional passwords and multi factor authentication and aims at using modern authentication methods to verify a user’s identity and authenticate to systems.
Traditional passwords are vulnerable to cyber threats and can be easily breached. Many of the data breaches in organizations are due to user credentials being exposed. Many users reuse the password between different accounts at times making slight variations that can serve as an attack vector for compromising user accounts.
Removing the password from the authentication flow makes the system to be less likely to be breached to dictionary attacks, brute-force attacks, credential stuffing, & other cyber-attacks, thereby improving user experience as they won’t have to go through the hassle of remembering passwords and eliminating high risk password management practices.
Why Passwordless?
In today’s world, a passwordless approach will help safeguard against malicious attacks providing a practical and safe way to manage identity data in an organization.
This authenticates users to their account with factors that can be difficult to steal & replicate such as items that a user might own (ex. Mobile device/security key) and characteristics part of the user (ex.biometrics)
Microsoft Entra ID is being used to create passwordless authentication, which simplifies user sign-in and enhance user security.
How We’re Implementing Passwordless
Microsoft Entra ID supports multiple passwordless methods. Here’s how we’re putting them to work.
I. Passkeys
Passkeys are an evolution of FIDO2 security standards, enabling users to authenticate using their device’s built-in biometrics (like Face ID, Windows Hello, or fingerprint).
Benefits:
No password required to create or use passkeys.
Resistant to phishing attacks
Works on desktops, laptops, and mobile devices.
II. Windows Hello for Business
Windows Hello for Business is a secure method to enable the passwordless strategy on Windows devices stepping away from passwords. Instead of typing in the password, users use a biometric gesture (such as face recognition or fingerprint) or a PIN that is tied to their device to sign in to the Windows devices.
The credentials reside on the Windows PC (not on the cloud server) and the user signs in with their local biometric gesture or PIN. Windows Hello for Business leverages pPblic key infrastructure (PKI) or certificate-based authentication, ensuring that credentials are not easily phished or reused.
Benefits:
Seamless sign-in experience for Windows devices
Strong, device-bound credentials
Enhanced compliance and security posture
III. Microsoft Authenticator App
The Microsoft Authenticator app enables users to sign in without a password by approving a push notification on their phone.
How it works:
Here’s how the passwordless sign-in flow works with the Microsoft Authenticator app:
The user enters their username.
Entra ID validates the user credentials and initiates the authentication flow.
A push notification is sent to the app via Apple Push Notification Service (APNS) on iOS devices, or via Firebase Cloud Messaging (FCM) on Android devices.
The user receives the push notification and opens the app.
The app calls Microsoft Entra ID and receives a proof-of-presence challenge and nonce.
The user completes the challenge by entering their biometric or PIN to unlock the private key.
The nonce is signed with the private key and sent back to Microsoft Entra ID.
Entra ID returns an access token after validating the signed nonce.
Benefits:
Familiar mobile experience
Easy rollout for employees
Supports additional MFA if needed.
IV. YubiKey Security Keys
YubiKey is a physical hardware key, which provides secure user authentication making it complex to extract your secret. It follows Fido and other similar protocols making it phishing resistant and while ensuring verification of domain before authentication. This ensures that the device can only be unlocked by the user who owns it.
To pass the authentication challenge insert the YubiKey to the device or simply tap the key to the device via nfc. It’s like how a person uses a key to unlock their house door which in this case is the door to the users’ account and sensitive information.
How it works:
Here’s what the passwordless sign-in flow looks like when using a YubiKey:
The user plugs the FIDO2 security key into the computer.
Windows detects the FIDO2 security key.
Windows sends an authentication request.
Microsoft Entra ID sends back a nonce.
The user completes their gesture to unlock the private key stored in the FIDO2 security key's secure enclave.
The FIDO2 security key signs the nonce with the private key.
The primary refresh token (PRT) token request with signed nonce is sent to Microsoft Entra ID.
Microsoft Entra ID verifies the signed nonce using the FIDO2 public key.
Microsoft Entra ID returns PRT to enable access to on-premises resources.
Benefits:
Strong hardware-based protection
Phishing-resistant
No additional mobile devices are required to authenticate.
Conclusion
Passwordless is not just a security enhancement — it’s an improved user experience.
Organizations can streamline sign-in experience for users by reducing the hassle of remembering passwords and reducing password fatigue. As passwords don’t have to be entered, there will be fewer password resets due to forgotten passwords thereby reducing costs.