Password-less Logins Coming to Microsoft 365

Password-less Logins Coming to Microsoft 365

When we think about account security, we tend to consider passwords a given. As cybersecurity technologies have advanced, however, passwords have become less and less viable as a primary protection method.

Today, passwords often pose more risk than protection because they are a single point of failure against intrusion. Because of this, passwords can have a profoundly limiting effect on the level of control administrators have in an IT environment. This control is instead passed on to individual users within the organization who are responsible for protecting their credentials. Should they fall for a phishing scam, for example, any other IT defense is rendered useless. While multi-factor authentication1 (MFA) can protect against credential theft, such a powerful tool shouldn’t merely be a failsafe.

In that sense, passwords can really be seen as the weakest link of cyber security that may have overstayed their welcome in our everyday lives. Today, there are more foolproof ways to authenticate into accounts and block out those unauthorized.

The ubiquity of biometric scanning is a major step forward in protecting our personal information in this way. Windows Hello, for example, is one such system that can more directly tie the identity of a user to an account by requiring a facial scan as part of logging in. Obviously, something like a fingerprint or an iris cannot be replicated or guessed as easily as a password by many orders of magnitude.

Setting a New Standard

A quick look at Microsoft’s roadmap for Microsoft 365 shows that the company will soon be implementing Windows Hello-style logins that exclude passwords. Rather than users relying on a single string of characters for account protection, the service will shift to a combination of biometrics and two-factor authentication.

An added benefit to this process is that it will greatly heighten the security of the environment, while simultaneously simplifying the authentication process for end users.

Source: Microsoft

What will this look like?

The new, password-free authentication experience will be similar to using an MFA solution with Office 365. When a user inputs their username, an access request will be sent to their designated device. To confirm the request a user will scan their fingerprint, after which they will be granted account access.

This process will occur within Microsoft’s Authenticator app for mobile devices. Once released, any business that uses Azure Active Directory will see this application set as the default option for account access. Existing settings will nopt be altered when this change goes into effect.

Source: Microsoft

What is Microsoft Authenticator?

Authenticator is a mobile application designed for speeding up the user verification process. As it currently stands, when a user logs into their account with a password the Authenticator app will request verification: Allow or Block the login? It is only after a user has verified that the login will fully process and the user can begin accessing their data.

To support Authenticator as a single factor access method, however, the process will also incorporate biometrics to secure against bad actors. Now, rather than confirming or denying the login with a simple yes/no response, users will scan either their face, irises or fingerprint to confirm the action.

Who has my fingerprints?

It should be noted that as with Windows Hello and biometric scanning, the details of ones own fingerprint and/or facial features are only stored locally within the device they are used to protect. In essence, this biometric information can truly only be accessed by the owner of the device.

This will prevent accounts from being compromised in the event of device theft, and essentially adds another factor two the authentication process. In order to access accounts, a user requires:

  • Email
  • User’s device
  • User’s “bio-signature”
  • Phone’s location is within the expected areas (IP addresses and geography)

So, unless kidnapping is involved, hackers are not likely to break into accounts by stealing credentials or devices. Overall, this move presents an exciting opportunity to change the way we think about security, and shift the standard of protection users come to expect. Microsoft lists this feature becoming widely available in Q3 2019, though it is currently rolling out to small numbers of customers. With passwords out of the picture, one of the most common methods of credential harvesting becomes irrelevant and obsolete for Microsoft 365, making the platform a great choice for enterprises prioritizing security.

For more information on how this service works, we recommend reviewing documentation released by Microsoft detailing the service, as well as reaching out to Metro CSG! As a Microsoft Partner, we can assist you in making an adoption plan for rolling out this feature to your users once officially released and ensure you are keeping your users secure.


1 - System of account authentication requiring a secondary input to grant access. In most cases this is in the form of a unique, one-time use password delivered via SMS, though other MFA services may simply require confirmation within a dedicated mobile application


Leave a comment!

All fields marked with an asterisk* are required.