Using Passwordless for Office 365

As the pace of attacks continues against companies who use online services, major IAM providers such as Microsoft and Okta are looking for ways to improve theirs and your security game.

I was fortunate enough to attend the 2019 Okta forum in London and one of the drums Okta beat throughout the entire presentation was Passwordless Authentication. Microsoft are also recommending this as a major improvement to Office 365/Azure security even on top of MFA.

What is Passwordless?

Passwordless Authentication essentially means turning over the full login process to your MFA device. All my examples here are going to talk about Azure AD/Office 365 and the Microsoft Authenticator app, but other IAM / MFA providers will be similar.

When you log on to a service that uses passwordless auth, rather than simply being asked for your username and password then needing to supply a simple 6 digit pin or approve a ‘push’ notification, you simple log in with your username and you will be shown a question on screen that will need to be answered on your MFA device. The MFA device should verify that it really is you answering the query by carrying out a biometric check also alongside the query (e.g. using Face ID to verify who is using the MFA app).

This stops your password being stolen by a compromised webpage or computer, and also validates your login against several of the the standard 5 authentication factors:

• Something you are: Using biometrics to make sure it's really you.
• Something you have:  Your login token (e.g. phone with Microsoft Authenticator.

You could argue that this is also an example of Somewhere you are, because you, the login token and the device you're logging in to all have to be in the same location at the same time.

All this means that simply phishing your password or event stealing your unlocked mobile phone with your authenticator app on it will not help an intruder.

I’m going to run you through a quick guide to setting this up on Microsoft’s Azure AD along with Conditional Access in the rest of this article.

Branding your login page.

This isn't necessary to complete a test but I do think branding your Microsoft login page for Office 365 is important. Part of encouraging users to avoid fake login pages (on the grounds that even with Passwordless, some users will still fall for a fake site asking for a password)  is to make your login page customised to your corporate standard. As logos are trivial to steal, this will not do much to stop a determined attacker who is specifically targeting you, but it will slow down the rate of casual drive-by credential theft. You have other tools for spotting targetted attacks.

To do this, log in to Azure Portal as a Global Administrator and proceed to Azure Active Directory > Company Branding. Then click Configure.

A form will appear asking you to select files for background, logos, etc. These will hopefully be self-explanatory and as these are standard corporate resources, you will probably have them to hand without too much trouble, e.g. your corporate desktop wallpaper for the sign-in page background image, etc.

When you are ready, click Save at the top of the form. Your changes will be live immediately (though they may not show up everywhere consistently just yet).

You can use this custom branding on links to the Microsoft login pages by adding ?whr=yourdomain.com to the end of a url, for example: account.activedirectory.windowsazure.com/proofup.a…

Now that things look professional we can move on to the feature presentation

Enabling Passwordless Authentication.

Prerequisites

I'm going to assume you're comfortable with the basics around MFA using Conditional Access (CA), creating a CA rule, and enrolling users into MFA.  I'm assuming you already have your users configured and licenced. I'm also glossing over a lot of what I consider to be good practice for Azure MFA configuration. I will return to that later but the point of this article to to talk about passwordless. The CA rules you will see in use in this article are the ones used in the recent article about Azure MFA and Chromebooks.

Getting Started.

One thing to remember here is that Passwordless isn't an alternative to Azure's MFA mechanism. Instead it is an additional layer. This means that you can choose to apply Passwordless to some or all of your MFA users, which is great for testing. Let's get started/

Create a test group. For the purposes of this article, I’m creating an Azure AD group named IAMP_Passwordless_MFA but you can use groups synced from AD if you please.

From the Azure portal, open Azure Active Directory > Security > Authentication Methods.

Select Microsoft Authenticator Passwordless sign-in. On the control panel that appears below, select Enable = Yes, and for Target select the test group you created earlier. Click Save once you are happy with your settings, which should look similar to the ones above.

We now need to check our Conditional Access rules. In the Azure Portal, click home and then find your Azure AD Conditional Access service.

Locate your appropriate CA rule (MFA all Devices and Users in my case, below) and click to edit.

In the CA rule, select Users and Groups > Include, and ensure your test group is listed here.

Testing Passwordless

Now we're ready to test. Firstly, make sure your test group has a test user placed into it. You will also need a test device to run Microsoft Authenticator from. This can be almost any modern Android or iOS device that can do Touch or Face Biometric ID and the device must not be registered to another Azure AD tenant. This might make testing on a separate test tenant a little difficult.

To start, open up a new browser session to your Office 365 or Azure portal and sign in as your test user. You should see your newly branded login screen at this point too.

You will probably be asked to proceed through the MFA enrolment process at this point with the “More Information Required” screen.

Once your test account is enrolled and working properly with the Microsoft Authenticator and Push notifications, you are ready to enable Passwordless on this device.

In the Microsoft Authenticator app, tap on the entry for your test account to view its properties. Now tap the entry for Enable Phone Sign-In. You will be warned that your device will need to be registered against your Azure AD directory and that device security (e.g. Touch ID/Face ID) is required.

Click Continue. When prompted, sign in as your test user on that device and complete the wizard.

On your PC, sign out as that user, close your browser session and open a fresh one. Then sign in as the test user and you should now be prompted for a passwordless sign-in and prompted to complete the appropriate Touch or Face biometric challenge in order to log in successfully.

You can also view this in the Azure AD sign in reports for the test user, where it will show as MFA requirement satisfied by strong authentication. Microsoft document the log values for troubleshooting here if you have any trouble.