Multi-Factor Authentication Part II: No Passwords?

Multi-Factor Authentication Part II: No Passwords?

Dan Bremner, President, Castema Technology Services, Inc.

Last time in this space, I discussed why businesses should be looking at Multi-Factor Authentication (MFA) to protect themselves, and why MFA is a far better protector of your online identity than just a password. I also promised to report on a new type of "password-less" MFA that Microsoft is now rolling out to its business Office 365 customers.

What's MFA Again?

As a quick refresher, the idea behind Multi-Factor Authentication is that your username/password combo is only one of several “factors” needed to prove that you are who you say you are before the system will log you in. With MFA, you need something more -- a second factor -- in order to be granted access. Often that is a text message containing a short code to be typed in. The idea there is to prove you not only have the user's password, but you have the user's phone too, making it more likely that you are really the person you say you are.

In addition to text messages, there are other types of 2nd factors that can be used, including an Authenticator app for your phone. The "password-less" feature we're talking about today uses the Microsoft Authenticator App for your mobile device, so let's take a look at that.

How Does an Authenticator App Work?

A MFA method that's growing in popularity is the Authenticator App. There are several of these available, including apps made by Google and Microsoft, and they can be used across many different services and sites. These apps can be installed on your smartphone, registered with the service (such as Google, Microsoft, etc.), and then they will generate one-time passwords to be typed in. This is similar to the “fob” concept you may have seen before, but without the expense of distributing a dedicated device to all your users. One benefit of the app is to allow you to log in even if you're not in a place where you can receive a text.

In order to use an Authenticator app with your account, you typically go into the "security" or "passwords" area of account management, and select the option to use MFA, and the option to register an app. The site will display a QR code. On your app, tap the + sign to add a new account, and the camera will open. Use the camera to scan the QR on the screen, and you're now set up to use your Authenticator app with that account.

Login Without a Password? How Does That Work?

Recently Microsoft introduced a "password-less" login for personal Microsoft accounts (used for Hotmail,, OneDrive cloud storage, Xbox, etc.) if you use the Microsoft Authenticator app. They have now announced that password-less login will be rolling out to Office 365 business customers also. This is an interesting twist on MFA, because in this case neither of the two factors is your password.

Here's how it works on my Microsoft account and my iPhone (it's also supported on Android phones). When I enter my username, instead of prompting for a password, the login screen offers to send me a notification using the Authenticator app on my phone (which I've previously registered to my account).


When I hit the Send Notification button, two things happen. First, the screen shows this:


And second, my phone buzzes with a notification:


When I tap the notification, the Authenticator app opens and presents me a choice of numbers, and I choose the one that matches my login screen.


Assuming I tap the right number, the Authenticator app then asks me to confirm using my fingerprint through Touch ID on my phone. This is the same Apple Touch ID I've already set up in the phone settings to unlock my phone, it's not requiring a new process to "enroll" my fingerprints with Microsoft or anything.

So instead of typing my password, it's one click on my computer, then two taps and a fingerprint touch on my phone to get logged in. The two factors here are (1) my phone with the Authenticator app, and (2) my fingerprint, a.k.a. a biometric factor. I find this really intriguing because not only does it no longer require me to remember my password, but it eliminates the risk of typing in my password and having it intercepted, for example by a keylogger that may have infected a public computer that I happen to be using.

There's Always THAT Guy…

As I mentioned before, some people are sure to complain about any change in process. There are ways to make those changes easier and less intrusive (see Conditional Access rules in last month's article). It's important to realize we need to embrace new and better ways of doing things, especially when those better ways can save me or my clients from disastrous attacks. As a business owner, I consider the extra step to confirm my login as nothing if it saves me from the inconvenience of explaining to my client why she just wired a half-million dollars to some criminal's bank account, because of an email that got sent to her from my email account.

The "password-less" login is a way to make these changes less intrusive for our users, because if it's set up right, it could be considered even easier and less time-consuming than typing a password. Human nature being what it is, though, you can't please everyone, and some people will complain no matter what. That's when you have to weigh the perceived inconvenience against what could happen if you don't use MFA, and don't put your company at unnecessary risk.

I recommend turning on MFA for any account you have that supports it. For your business, especially if you are using Office 365, Microsoft has a number of options for MFA that are available with different enhanced security offerings, such as Enterprise Mobility + Security E3 and E5. Please let me know if you'd like to discuss ways to improve your company's security.