Comparison– Planning and Implementing Authentication
Now that you have an understanding of the different password-less options available for Microsoft 365, let’s look at some information that will help you choose the appropriate solution. Table 7.1 describes some basic features and requirements for each authentication scheme:
Windows Hello for Business | Authenticator app | FIDO2 security keys | |
Prerequisite requirement | Device with a built-in TPM and biometric recognition running Windows 10 (1809 or later) or Windows 11; Azure AD | Authenticator app for iOS or Android; device supporting biometric recognition | Windows 10 (1903 or later) or Windows 11; Azure AD |
Authentication mode | Platform | Software/soft token | Hardware |
User experience | Sign in to supported device using PIN or biometric data | Sign in to supported applications and browsers using PIN or biometric data | Sign in using FIDO2 device with supported PIN or biometric data |
Scenarios | Password-less sign-in with Windows device and supported applications | Multi-platform password-less solution for web applications | Password-less sign-in for single- or multi-user scenarios or where soft tokens are not suitable |
Table 7.1 – Authentication method comparison table
It’s also important to consider the various end user scenarios that your organization utilizes to ensure you’re recommending an appropriate mechanism based on your real-world use cases. Table 7.2 describes a few example scenarios:
Role/persona | Scenario/use case | Platform | Suitable or recommended password-less methods |
Administrator | Secure device access for administrative tasks | Assigned Windows 10 or Windows 11 device | Windows Hello for Business; FIDO2 |
Administrator | Administrative tasks on down-level or non-Windows devices | Mobile, down-level, or non-Windows devices | Microsoft Authenticator app |
Information/knowledge worker | Productivity work | Assigned Windows 10 or Windows 11 device | Windows Hello for Business; FIDO2 |
Information/knowledge worker | Productivity work | Mobile, down-level, or non-Windows devices | Microsoft Authenticator app |
Frontline worker | Kiosks, Azure Virtual Desktop (preview) | Shared Windows 10 or Windows 11 devices; Azure Virtual Desktop (Preview) | FIDO2 |
Table 7.2 – Password-less login scenarios
With that information in hand, it’s time to look at the implementation aspects.
Configuring and managing multi-factor authentication
Configuring users for MFA can increase the security posture of your Microsoft 365 environment, in addition to protecting any apps that use Azure AD for identity and authentication.
In this section, we’ll look at configuring MFA for your tenant.