In our recent journey to go passwordless with Entra ID, we discovered that achieving a truly secure and user-friendly passwordless environment is far from straightforward. From technical limitations to unexpected system conflicts, the transition has required careful planning and adaptation. In this post, I’ll share our key experiences, challenges, and takeaways from the past 60 days as we move toward a passwordless future for our organization.
Why Go Passwordless?
The goal of going passwordless is to improve security by eliminating traditional passwords, which are vulnerable to phishing and brute-force attacks. Instead, passwordless solutions rely on more secure methods like biometrics, device-based authentication, or PINs. However, implementing passwordless authentication is complex—particularly for an organization with a diverse user base and various access requirements.
Early Challenges and Unexpected Setbacks
Our journey began with the latest Windows 24H2 update, which, to our surprise, interfered with Entra ID’s passwordless features. Additionally, Entra ID doesn’t currently allow you to create users without passwords, meaning we had to find ways to secure and manage these initial passwords effectively. We also had to address fundamental questions, such as:
- What happens if a user forgets their PIN?
- How can system and admin accounts operate without passwords?
- What’s the process for setting up new users securely without relying on passwords?
These questions prompted a deeper investigation into our overall passwordless strategy and potential alternatives.
Exploring Passkeys – The Initial Hurdles
In our research, we considered using Passkeys, which are quickly gaining traction among large vendors and industries. However, Entra ID’s current implementation of Passkeys was less than ideal; it requires scanning a QR code each time a user logs in. This would be disruptive and impractical for many users, so we opted to explore other methods.
Building Our Passwordless Framework
Our first steps involved enabling specific passwordless features and conditional access policies, including Microsoft’s Authenticator App and phone-based sign-in. This setup allowed us to test the login experience in a controlled environment. However, early trials revealed unexpected login loops, which, fortunately, we could address within a test tenant before rolling out to our main environment.
Implementing Temporary Access Passwords (TAP)
To further support the passwordless shift, we experimented with Temporary Access Passwords (TAP), a feature that allows users to access their accounts for initial setup without a permanent password. TAP was effective for most applications except Windows itself. We needed a solution for users who might forget their PIN or need to reset their passwordless credentials on a Windows device. To address the issue of Windows compatibility with TAP, we enabled Web Login for Windows 11, which provides an Entra ID-based login similar to other IDP solutions like Okta. This feature allowed users to log in with their Entra credentials, making it possible to use TAP for setup and reset.
Managing Passwords Post-Setup
With our passwordless login process working smoothly, we still needed a way to handle the passwords created during the new user setup process. Since Entra ID doesn’t support complex password requirements for these initial passwords, we’ve been developing a custom script to reset and scramble employee passwords after setup, ensuring no default passwords remain active. This process is now a part of our standard new user onboarding and helps us maintain security.
What’s Next? Exploring Alternatives
While we’ve made significant progress with Entra ID’s passwordless capabilities, the solution still feels incomplete. Microsoft’s current passwordless setup requires additional customizations and workarounds to meet our standards for usability and security. As such, we’re exploring alternatives, such as Okta, to see if they offer a more comprehensive and seamless passwordless experience.
Final Thoughts
Going passwordless is a promising yet challenging endeavor, especially within complex environments. Our journey with Entra ID has highlighted both the potential and limitations of Microsoft’s current offerings. We’re committed to refining this process to provide the best possible experience for our clients and will continue to evaluate other solutions in the market.