Share via

Choosing the Right Passwordless Credential Solution for Your Windows 365 Deployment

Overview

Passwords are a common target for cyberattacks. Relying only on usernames and passwords is not secure for any organization. While multi-factor authentication (MFA) can block more than 99.2% of attacks, MFA is not immune to phishing or other advanced threats. Moving to passwordless authentication strengthens your security posture and improves the user experience, making secure authentication easier and more appealing.

Benefits of Passwordless Authentication

Passwordless authentication offers several advantages over traditional password-based systems:

  • Reduced attack surface: Eliminates risks from password theft, reuse, phishing, and brute-force attacks.
  • Improved user experience: Users do not need to remember complex passwords or manage frequent resets. Authentication is faster and less error-prone.
  • Stronger security posture: Modern passwordless methods use cryptographic keys, biometrics, and device-bound credentials, which are more secure than passwords.
  • Simplified access: Users can securely access corporate resources from various devices, supporting organizational security policies.

Understanding User Scenarios

Selecting the right passwordless solution requires understanding how users access corporate resources, where they work, and how credentials are stored. It is best practice to offer multiple robust authentication options to meet diverse needs. This guide uses three representative personas:

Persona 1: Mobile Sales Representative

  • Frequently travels and visits clients.
  • Uses a work-provided Windows 11 laptop as the primary device.
  • Occasionally uses a personal iPad and a Windows 365 Link device at shared office desks.

Persona 2: Call Center Associate

  • Works from a single office location using a dedicated workstation.
  • Accesses corporate resources via Windows 365 Boot to Cloud.
  • Organization prefers not to issue additional hardware and does not enforce MFA on personal devices.

Persona 3: Factory Floor Operator

  • Uses IT systems infrequently, mainly for HR tasks.
  • Accesses resources from a kiosk in the office or remotely from home.

Passwordless Authentication Options

There are several passwordless options, each with unique benefits and trade-offs in portability, usability, and security.

Device-Linked Passwordless Options

For users with dedicated devices, these solutions link credentials to specific Windows or macOS systems.

Windows Hello for Business

Windows Hello for Business is Microsoft’s dedicated device passwordless solution.

  • Provides strong, phishing-resistant authentication for Windows 10 and 11.
  • Credentials are protected within the device’s Trusted Platform Module (TPM).
  • Users authenticate with biometrics (facial recognition, fingerprint) or a PIN, which never leaves the device.
  • Limitation: Credentials are device-specific. Setup is required on each device, and enrollment may require a portable credential (such as mobile MFA, FIDO2 token, or Temporary Access Pass).

Platform Credential for macOS

Platform Credential for macOS gives a similar user experience for Mac Users, as Windows Hello does on a Windows PC.

  • Offers a similar experience to Windows Hello for Business for Mac users.
  • Uses a hardware-bound cryptographic key for single sign-on (SSO) across apps using Microsoft Entra ID.
  • Requires device enrollment with a mobile device management (MDM) provider and registration with Entra ID.
  • Limitation: Credentials are also device-specific.

Mobile Passwordless Options

Mobile solutions address the limitation of device-bound credentials by enabling authentication across multiple or shared devices.

Phone Sign-In (Microsoft Authenticator)

  • Allows passwordless sign-in using notifications from Entra ID.
  • Convenient and easy to deploy, but not considered phishing-resistant.
  • Note: There is no direct connection between the mobile device and the device being authenticated.

Passkeys and FIDO2 Keys

Passkeys are modern, phishing-resistant credentials based on FIDO standards. They can be hardware-based (FIDO2 security keys) or software-based (stored on a phone or PC).

  • FIDO2 Security Keys: Physical devices that provide robust, phishing-resistant authentication. They support USB, NFC, and Bluetooth connections.
  • Software Passkeys: Stored on a device and paired with the authenticating device, often via Bluetooth.
  • Microsoft Authenticator Passkeys: Entra ID passkeys can be stored on iOS and Android devices, enabling a phishing-resistant, passwordless experience.

Connection Methods:

  • USB A / USB C: Direct connection, portable, but can be lost.
  • NFC: Touch-based, often integrated with employee badges.
  • Bluetooth: Enables authentication at a distance, but requires charging.

Second Factor: FIDO keys require a PIN or biometric to unlock.

Recommendations by Persona

Persona 1: Mobile Sales Representative

  • Primary: Windows Hello for Business on the dedicated Windows 11 PC for fast, secure access.
  • Secondary: Mobile credential (for example, Microsoft Authenticator) for flexibility.
  • Shared/Personal Devices: FIDO2 security key for easy access on Windows 365 Link devices and personal iPad.

Persona 2: Call Center Associate

  • Primary: Windows Hello for Business on the dedicated office PC.
  • Secondary: NFC-enabled FIDO2 security key integrated with the employee’s access badge for use on other devices.

Persona 3: Factory Floor Operator

  • Primary: Passkey via Microsoft Authenticator for secure, cross-device access.
  • Alternative: Biometric FIDO2 key for environments where mobile devices are not permitted.

Conclusion

A successful passwordless deployment requires understanding the unique needs of each user persona. By combining Windows Hello for Business, FIDO2 security keys, and passkeys via Microsoft Authenticator, organizations can deliver robust security and a seamless user experience. Offering multiple authentication options maximizes flexibility and productivity while maintaining high security standards.

To deliver a great user experience, we need to consider the distinct needs and working environments of each user persona. By deploying a combination of Windows Hello for Business, FIDO2 keys of various types, and passkeys through Microsoft Authenticator, we ensure both robust security and a seamless user experience. This layered approach not only enhances security posture but also maximises flexibility and convenience, accommodating scenarios ranging from office-based work to highly secure or mobile environments. Ultimately, providing multiple authentication options enables users to remain productive while maintaining high standards of security, regardless of their role or location.

  • Last updated on