What's your opinion/experience with implementing Entra ID Passkeys?
Posted by Arrow2899@reddit | sysadmin | View on Reddit | 33 comments
What's your opinion/experience with implementing/maintaining Entra ID Passkeys?
Top-Perspective-4069@reddit
Solid. We have almost the entire user base on them.
bobdobalina@reddit
Sweet when it works. I can't use firefox anymore because admins have to have phishing resistant MFA and for whatever reason FF won't accept either the yubikey or MS MFA over bluetooth. But chrome/edge work on linux even.
Users have issues adding devices as MFA in the security info of their accounts due to device registration loops and conditional access requirements. So we're constantly issuing TAPs to get them going again even though they have compliant company devices with WHfB....im sure I did something wrong but still prodding it...
Educational_Boot315@reddit
I use FF (on MacBook) with my admin account no problem. You probably need to check what CA policy is blocking it.
bobdobalina@reddit
hmm I might have to break out a Mac and give it another look. tks
Educational_Boot315@reddit
Actually my bad, I forgot I am just checking for Entra joined and not complaint, so that might actually be the issue if you require compliant. I don’t recall if FF can pass that information over or not.
bobdobalina@reddit
It was the profile. I had sync enabled and something in the profile was mucking it up. firefox -P and tried from fresh profile it worked fine.
theRealTwobrat@reddit
It can. There is a setting that needs enabled though.
Educational_Boot315@reddit
Microsoft Authenticator is fine for 95% of staff as long as you are using WHfB/PSSO.
The 5% that have outdated phones or just can’t follow simple directions is very painful. And if you have shared workstations, it downright sucks compared to physical hardware like yubikey. But yubikey is much more difficult to implement if your staff don’t work out of a single office so pick your battles.
Finn_Storm@reddit
So I've been looking in to this and there's currently a bug with whfb which I haven't been able to find a workaround for. The tldr is that it allows you to login without interactive prompt because whfb passes a refresh token.
Say you have a sign-in frequency of 1 hour and have disabled whfb in authentication strengths. A user logs on at 9 am to ms office, and is asked for an interactive mfa prompt as per their personal preference settings. The user is now authenticated. The next day, 24 hours later, the user signs in again. The authentication strength is still satisfied from the previous session, and whfb satisfies the sign-in frequency, allowing the user to login without interactive prompt.
I'd consider this an issue since the device can be stolen and the only thing in between an attacker and the application is a 4-6 digit PIN.
Educational_Boot315@reddit
Why are you disabling WHfB as an authentication method? It’s a phishing resistant method and one of the strongest options unless you are forcing the use of physical keys (and your users never leave the key in, which lets be real).
The default complexity is 6 digits, so if your users are using a 4 digit pin, that’s because you made it even weaker. You can however increase the complexity. Six digits may not sound like a lot, but with TPM 2.0 you can only attempt to guess around 52,000 times a year maximum. That’s 20 years to brute force every combination at 6 digits (2000 yrs for 8). And even then they’ll only have access to what is local, as you most surely revoked sessions, deleted the registered pin as an authentication method for the user, and sent a wipe command if it ever comes online (and isolate the device).
Finn_Storm@reddit
Because all it takes is to look over ones shoulder at a simple pin to be able to fully authenticate once the device is stolen or left alone.
Look, it's not my reasoning, it's my bosses. I'm just trying to deal with the hand I've been dealt.
abj@reddit
How do you secure phones then. They’re just as valuable for a bad actor if you’re assuming physical access is available.
Ziegelphilie@reddit
Authenticator for most and a yubikey for those who don't want to use their personal device.
Xenstier@reddit
The correct Passkeys implementation, pretty much kills the need for derived credentials. I like it a lot, even if it is a bit tap heavy.
Azadom@reddit
I just wish I had a way to default mobile or security key in Windows. It seems like an unnecessary click each and every time
Internet-of-cruft@reddit
It's so much quicker than password entry flow though, even with that extra friction.
Sa77if@reddit
The best step you can take for your company’s security is using physical security keys. YubiKey is a strong option. With a PIN, they provide phishing-resistant login protection while also meeting MFA requirements at the same time.
The main challenge is when someone forgets their key at home. To reduce this, employees should keep it attached to their keychain. If needed, IT can issue a temporary key or provide a Temporary Access Pass valid only during the employee’s scheduled work hours.
You can also enable virtual passkeys, but that usually requires employees to use their mobile phones.
This approach removes many common problems such as password resets, stolen passwords, and reliance on authenticator apps.
coret3x@reddit
This is a problem for many people. Many don't have a key at all anymore. I have fingerprint at my house, app for doors at work and car (tesla) etc. I don't even carey a wallet anymore. It needs to be an app for people liie me.
Sobia6464@reddit
We’re currently going passwordless. It’s been very positive thus far. Hybrid environments are a bit of a struggle but we’re making it work.
Previous-Low4715@reddit
How out of interest?
Sobia6464@reddit
Microsoft Authenticator. We make it a part of work. You need to setup passwordless authentication via Microsoft Authenticator. We then have CAPs in place to enforce only allowing access via passwordless authentication.
Previous-Low4715@reddit
Yeah, we have a hybrid environment and we are bound to the NCSC guidance (as we're a government bureau) which now states passwordless by default. Which doesn't really play with AD to Entra synced accounts for many resources. And we are one of the more modern orgs.
Arudinne@reddit
Started testing it recently because out CIO wanted to use TouchID.
Getting TouchID registered on MacOS was a bit of a pain in the ass until I used Safari instead of Edge, but we also have 1Password for some people, including myself, so I think 1Password was the issue. I have the Edge Extension but not the Safari once since I never use Safari.
Once I got TouchID registed I was able to use it both Edge and Safari if told 1Password to let me use something else (there's a little button for a hardware key).
Educational_Boot315@reddit
Might want to look into PSSO with Secure Enclave. It requires you to push company portal and the user needs to register the device once so it does add an extra step, but it’ll prevent having to satisfy MFA prompts once the OS is unlocked.
Arudinne@reddit
We've already got that and the users are required to register the device during the initial setup since we have all the devices in ABM with Intune set at the MDM.
Man-e-questions@reddit
Its a but if a kluge to use and slow, but it works. I feel like it requires too many clicks, like do you want to use it, do you really want to use it, do you really really want to use it?
Sa77if@reddit
you are talking about passkey in authenticator app? physical keys are not complicated you just need to insert and type your PIN
Man-e-questions@reddit
Oh yeah , when i read Entra ID, i assumed he meant the included type in authenticator app, not like a Yubikey. My Yubikey i just insert into USB and touch the Y
discosoc@reddit
Better now that it supports synced accounts.
TechCF@reddit
Only positives. Do platform sso for macos users,
phunky_1@reddit
More organizations should adopt it.
Passwords are for dinosaurs that like to get credentials compromised in phishing attacks.
CruwL@reddit
using. yubikeys and soft keys. absolutely love it. we made everyone use them
ijustjazzed@reddit
Can't be bothered, too busy keeping up with all the other shit they are throwing at us.