In this series, Microsoft identity team members share their reasons for loving passwordless authentication (and why you should too!). Alex Weinert continues the series with this post in which he describes how much customers are going to benefit from Temporary Access Pass.
We announced Temporary Access Pass at Ignite this week and it’s now in public preview. The fact that customers are excited about Temporary Access Pass (more on that later) makes me love passwordless even more.
Getting rid of passwords is about more than just how we sign in. When you’re someone like me who encourages customers to make passwordless a reality, you answer questions like:
“How can we onboard a new employee on their first day at work when we are truly a passwordless organization? Today, we hand a temporary password to the employee.”
“How do users sign in if they lose their FIDO2 security key? Today, we just ask them to reset their password.”
One of the reasons I love passwordless is that it gives us the opportunity to make onboarding and recovery so much better! No more answering a long list of knowledge questions that are easy to guess (like your dog’s name), so you (and the attacker) can use them one day to gain access to your account.
We created Temporary Access Pass to solve these problems. Temporary Access Pass allows users to register for passwordless authentication methods and recover access to their account using a time-limited passcode.
How customers are using Temporary Access Pass
Every organization has its own unique, well-established employee onboarding and identity verification processes. Temporary Access Pass integrates seamlessly into these processes using the Microsoft Graph APIs. Our private preview customers love it:
“Temporary Access Pass is a critical technology feature that will enable our global employee base to securely onboard FIDO2 security keys in a manner that adheres to the NIST authentication assurance level 3 guidelines that we are bound to” ~ Temporary Access Pass preview customer.
An aerospace customer with a hybrid environment wanted to let employees use FIDO2 security keys with Azure Active Directory-connected applications. Employees previously needed to use passwords and multi-factor authentication to register the FIDO2 key on their account. Now, employees login to the company’s internal identity management tool using a SmartCard. Using the Microsoft Graph APIs, the tool will issue a one-time Temporary Access Pass. The user will use the pass to register a FIDO2 key - with no enterprise passwords required.
We also have enhanced the Authenticator app registration experience for phone sign-in. Users can now sign in to their Azure AD accounts directly in the app, without scanning a QR code on the Security Info page in Azure AD.
“Temporary Access Pass allows us onboarding to phone sign-in with the Authenticator app quickly and without knowledge of the user’s password or Azure ADmultifactor authentication methods” ~ Private preview customer
Another organization that participated in the private preview prefers phone sign-in with the Microsoft Authenticator app for authentication for Office 365, replacing its existing multifactor authentication server implementation. On the first day at work, a new employee’s identity is verified by their colleagues. After the identity verification, the employee goes to the company’s internal portal, where they are issued a new Temporary Access Pass for their account. The employee installs the Authenticator app and registers phone sign-in directly from their app by signing in with the pass. From then on, the user can start using the app for every sign-in.
So that’s my reason for being excited about Passwordless. Make sure to read my colleague’s final post in the series coming soon. Read details about Temporary Access Pass.