Microsoft 365 Passwordless Authentication

Overview

Geneseo users can add new authentication methods to their Microsoft 365 accounts that satisfy both the primary (password) and secondary (multi-factor) requirements, effectively reducing the number of steps to log in to Microsoft 365. These methods require either the Microsoft Authenticator mobile app, or a FIDO2-compatible security key such as a Yubikey Security Key Series.

These new methods are configured on your Microsoft 365 Security Info page.

Caveats

  • After authenticating with a Passwordless method, Microsoft will make that your default authentication (overriding your default method on your Security Info page).

    • You can still authenticate with your password + MFA method by clicking Other ways to sign in when prompted for your passwordless method.

Phone Sign-In (Microsoft Authenticator)

This is an evolution of the push notification method in Microsoft Authenticator. After submitting your email address, you will be asked to approve the sign-in and enter a specific number in Microsoft Authenticator.

Caveats

  • This method requires device registration, which establishes a trust relationship between your mobile device and CIT's Microsoft systems. This makes it possible for CIT to enforce certain security settings on your device. It does not allow CIT to remotely access or wipe your device. More details on this can be found at Microsoft's page for Azure AD Registered Devices.

  • You will no longer be able to approve logins with your Apple Watch.

    • This limitation is on Microsoft's roadmap to fix, and CIT will update this document once the fix implemented.

  • Only one Microsoft work/school account per Microsoft Authenticator can have Phone Sign-In enabled.

  • Your Microsoft Authenticator accounts are not backed up or transferable to another device.

    • There is an advanced feature that allows iPhone users to sync their accounts to iCloud if they also add a personal Microsoft account to Microsoft Authenticator. CIT does not recommend this feature; it did not play well with Phone Sign-In and device registration in testing.

Setup

  1. If you have not already, download the Microsoft Authenticator app from your mobile device app store, and connect your Microsoft Authenticator app to your Geneseo account.

  2. Follow Microsoft's guide to enable phone sign-in.

Removal

There are two methods for removing Phone Sign-In and depend on if you're migrating to a new mobile device or not:

  • Unregister your device if you are migrating to a new mobile device:

    • Microsoft Authenticator settings → Device Registration

    • Tap Unregister device.

  • Disable Phone Sign-In if you want to retain device registration:

    • Tap your Microsoft Authenticator account with Phone Sign-In

    • Tap Disable phone sign-in

FIDO2 Security Key (WebAuthn)

These are USB/NFC devices with a button that users are prompted to unlock with a PIN and tap during login. They store secret cryptographic keys for accounts registered via the WebAuthn protocol. The most popular compatible devices are Yubikey Security Key Series.

Caveats

  • Limited support for Apple products

    • Zero iOS support

    • macOS support only in Microsoft Edge and Google Chrome

  • Microsoft requires your security key have a PIN; you will be prompted to create one during registration if your security key does not already have a PIN.

Setup

MacOS users should click skip and close the window that appears when they first plug in a security key. (MacOS will try to identify the key as a keyboard.)

Follow Microsoft's guide to register your Microsoft account in your FIDO2 security key.

CIT recommends assigning a descriptive name to all registered security keys to help you distinguish between multiple registered keys.

Microsoft has timeouts at various stages of the registration process, and tends to show a confusing error if you hit a timeout. Please click cancel and go through the registration process again if you see the following error.

Removal

From your Microsoft 365 Security Info page, click Delete on the security key you want to remove.

Related articles