I wanted to take a moment to chat about something that's been on my mind lately: Microsoft's Secure Future Initiative (SFI). It's a pretty big deal around here, and I think it's worth diving into what it's all about and why it matters.
So, what exactly is SFI? In a nutshell, it's Microsoft's commitment to making sure our technology is as secure as possible. This isn't just a one-time thing; it's an ongoing effort to stay ahead of the ever-evolving threat landscape. The initiative is built on three core principles: Secure by design, secure by default, and secure operations.
As an architect working with customers and supporting demonstration and development environments with multiple user personas, MFA with passwordless sign-in optimize and secure my activity and environment. They ensure that all user personas, whether for testing or demonstration purposes, are protected against unauthorized access. These principles not only apply to demonstration and development environments, they expand to enterprise-wide enablement strategies, adding value by maintaining robust security standards and improve end-user interactions.
One of the coolest things about SFI is how it ties into our push for passwordless authentication combined with multi-factor authentication (MFA). If you haven't heard, passwordless authentication is a game-changer. It eliminates the need for traditional passwords, which are often the weakest link in security. Instead, we use things like biometrics or security keys, making it much harder for bad actors to get in.
Combining passwordless authentication with MFA adds an extra layer of security. Even if someone manages to get past one barrier, they've still got another to contend with. This approach not only boosts security but also makes life easier for users. No more juggling multiple passwords or dealing with the hassle of password resets - or even worse, storing passwords in less than optimal places.
While passwords can be stored in authenticator, ensuring you aren't storing passwords in documents or cloud storage files, Passwordless sign-in takes security to the next level. By using methods like biometrics (fingerprint or facial recognition) or security keys, it eliminates the need for traditional passwords altogether. This not only reduces the risk of password-related attacks but also simplifies the user experience. With passwordless sign-in, you can access your accounts quickly and securely.
Getting Started
Enabling Passwordless authentication is different than enabling Microsoft Authenticator for Multifactor Authentication. Many tenants and users may already have MFA required (if not I highly recommend). The additional documentation and steps below walk through the additional steps to add passwordless authentication to authenticator based MFA.
First we start in Entra ID under policies and authentication methods.
Note in these screen shots - application name and location are marked as Microsoft Managed - you have the option to set these to enabled as an additional control to ensure users approve the application and location they are accessing from.
User registration
Users register themselves for the passwordless authentication method of Microsoft Entra ID. For users who already registered the Microsoft Authenticator app for multifactor authentication, skip to the next section, enable phone sign-in.
Its important to note here that users may have already enabled the Authenticator App for MFA which is important to do, but doesn't complete the enablement of passwordless signin.
Guided registration with My Sign-ins
To register the Microsoft Authenticator app, follow these steps:
- Browse to https://aka.ms/mysecurityinfo.
- Sign in, then select Add method > Authenticator app > Add to add Microsoft Authenticator.
- Follow the instructions to install and configure the Microsoft Authenticator app on your device.
- Select Done to complete Microsoft Authenticator configuration.
Enable phone sign-in from your authenticator app
After users registered themselves for the Microsoft Authenticator app, they need to enable phone sign-in:
- In Microsoft Authenticator, select the account registered.
- Select Enable phone sign-in.
- Follow the instructions in the app to finish registering the account for passwordless phone sign-in
Once enabled the end users (or test users in our development environments) are no longer prompted for password or they can set password to the default method, and select alternate options in the login process (as shown below)
I hope this post was helpful in guiding through the deferent security and authentication practices. I plan to follow up with a future post discussing the use and enablement of Passkey. Passkeys are a strong, phishing-resistant authentication method that completely replace the need for a password when logging into applications and websites. They are created and stored on a user's device, such as a smartphone or computer. Using a passkey is as easy as using your face, fingerprint, or device PIN. Passkeys are designed to be highly secure and user-friendly, making them the preferred way to sign in. Stay tuned.
