It would seem you would want to setup FIDO2 or smartcard logins if you truly wanted to remove passwords as a login option. Passwordless authentication has three methods to be used by organizations depending on their requirement: Windows Hello for Business FIDO2 security keys. Microsoft Achieves FIDO2 Certification for Windows Hello Brings secure passwordless authentication to over 800 million active Windows 10 devices MOUNTAIN VIEW, CALIF., FIDO Alliance announced today that Microsoft has achieved FIDO2 certification for Windows Hello. If you want to support multiple users then you can enable web-logins but that only supports TAPs so any other user requires a call to the helpdesk to generate them a TAP. But what about anyone else that might need to login? If you require a 1:1 user to computer arrangement, congrats, nobody else can log into that device. On an autopilot device this isn't an issue for the first user because you can use a TAP and force a new user to setup WHfB. You can no longer sign in if you don't have WHfB already configured. It works but it leaves you with a rather serious issue. It turns out you can actually disable password sign ins using one of two policies. There is little point to MFA if you can opt out of going through it on any login. While Microsoft considers Hello as MFA, I would argue that it's just a convenience login with some security perks because you can always skip using it and go straight to the password. Go to Type your username Click on Sign in with a security key Insert your security key Type your PIN Touch your security key You have signed in without providing a password. The goal was to see-with minimal infrstructure-what kind of MFA option is achievable using Microsoft solutions. You can sign in to Office365 with your FIDO2 security key using a supported browser.
0 kommentar(er)
