Why Passwordless Authentication is Your Best Defence Against Modern Cyber Threats 

Scattered Spider and other clever cyber attackers are keeping security teams awake at night. If you’re still relying on passwords and SMS codes to protect your business from their exploits, it’s time for a serious rethink. 

Our cyber security consultant, Alex, recently explained why Entra ID passwordless authentication is becoming essential for modern businesses. Watch his full video breakdown below for an in-depth look at the technical details, or read on for the key takeaways that could transform your organisation’s security posture for the better. 

We’ve all been there—juggling dozens of passwords, waiting for SMS codes that never arrive, and clicking “approve” on yet another MFA prompt without really thinking. But the traditional authentication methods Entra ID offers are increasingly vulnerable to modern attacks. 

Let’s break down why each legacy method is failing us: 

Passwords: The eternal weak link 

No matter how complex we make them, passwords remain vulnerable to credential stuffing attacks, where hackers use stolen credentials from one breach to access other accounts. They’re also prime targets for phishing—one convincing fake login page is all it takes. With users typically reusing passwords across multiple sites, a single breach can cascade into a security nightmare. 

SMS/Phone authentication: Not as secure as you think 

Those text message codes might feel secure, but they’re alarmingly easy to intercept. SIM swapping attacks (where criminals convince mobile carriers to transfer your number to their device) have become much more common recently. Once the baddies control your phone number, they get all your authentication codes. It’s social engineering at its simplest and most devastating. 

TOTP (Time-based One-Time Passwords): Better, but not bulletproof 

Apps like Google Authenticator generate time-based codes that are definitely more secure than SMS. But they’re still vulnerable to smart phishing attacks. 

Adversary-in-the-middle (AITM) attacks can capture these codes in real-time, and users can still be tricked into entering them on fake sites. The codes might change every 30 seconds, but that’s still plenty of time for an attacker. 

Push notifications: When security becomes a nuisance 

Remember when push-based MFA felt revolutionary? Now it’s creating a dangerous phenomenon: MFA fatigue. Users bombarded with authentication requests (sometimes legitimate, sometimes not) eventually just tap “approve” to make them go away. Scattered Spider and similar groups exploit this exhaustion, sending repeated requests until someone inevitably clicks yes. The uncomfortable truth about traditional security 

The stats make it clear why this is an area of concern. In the UK, 81.4% of organisations experienced a successful cyberattack in 2023. Nearly 40% of UK internet users risk data breaches by using identical passwords across multiple accounts. But let’s not get weighed down in scare stories; we’d rather talk about positive solutions. 

Microsoft passwordless authentication gives you a fundamentally different way of protecting digital identities. Instead of something you know (passwords), it relies on something you have (like a device or security key) or something you are (biometrics). 

The beauty of this approach is that it virtually eliminates phishing. You can’t trick someone into giving away a password that doesn’t exist. And unlike traditional Microsoft Entra ID two factor authentication, there’s nothing to intercept or socially engineer. 

With Entra ID passkeys and other passwordless methods, we’re seeing remarkable improvements in both speed and reliability. Microsoft reports that users signing in with passkeys are three times more successful at getting into their accounts than password users (98% versus 32% success rate), and passkey sign-ins are eight times faster than using a password with traditional multi-factor authentication. That’s not just better security—it’s a better user experience too. 

The UK government is leading by example here, announcing plans to roll out passkey technology across all GOV.UK digital services in 2025. They expect to save approximately one minute per login compared to traditional methods—and several million pounds annually by eliminating SMS-based authentication costs. 

When it comes to implementing Entra ID MFA in a passwordless world, you’ve got several powerful options at your disposal: 

Windows Hello for Business 

This is Microsoft’s biometric authentication system built directly into Windows 10 and 11. It’s often the easiest starting point for organisations already using Windows devices. 

Users authenticate with their face, fingerprint, or PIN. But here’s the clever bit: that biometric data never leaves their device. It’s stored securely in the Trusted Platform Module (TPM), making it virtually impossible to steal. 

FIDO2 security keys 

These are physical USB or NFC devices that act as your authentication token. 

These physical keys represent the gold standard of Microsoft phishing protection. They’re perfect for high-privilege accounts or shared workstations. Users simply plug in their key (or tap it for NFC versions) and they’re authenticated. No passwords, no codes, no risk of remote compromise. 

Microsoft Authenticator passwordless sign-in 

This is Microsoft’s mobile app that turns your smartphone into a secure authentication device. 

Transform the authenticator app from a code generator into a powerful passwordless tool. Users approve sign-ins directly from their registered device, with the added security of biometric verification on their phone. 

Temporary Access Pass 

This lesser-known feature is great for onboarding. It’s a time-limited code that allows users to set up their passwordless methods without ever needing a password. Think of it as scaffolding; essential during construction, removed once the building’s complete. 

Rolling out passwordless authentication doesn’t have to be daunting. Here are our tried-and-tested Entra ID best practices for a smooth transition: 

Start with your highest-risk users 

Global administrators, finance teams, and executives should be your first priority. These accounts are prime targets for attackers, so protecting them delivers immediate value. 

Choose the right deployment model for your environment 

If you decide to implement Windows Hello for Business (particularly useful for organisations with Windows devices), you’ll have several deployment options to choose from: 

• Cloud Kerberos trust is the newest and simplest option. It requires minimal infrastructure changes and works brilliantly for cloud-first organisations. Users authenticate to Azure AD, which then provides a partial TGT (Ticket Granting Ticket—essentially a digital pass for accessing network resources) for on-premises resource access. It’s our recommended approach for most modern deployments. 

• Key trust deployments work well if you’ve already got a solid PKI (Public Key Infrastructure—your system for managing digital certificates and encryption keys). The user’s device holds a key pair, with the public key registered in Azure AD. It’s robust and doesn’t require certificates on every device, but you’ll need Windows Server 2016 or later domain controllers. 

• Certificate trust deployments are the original method and still valid for organisations with mature PKI environments. Each device gets a certificate, providing maximum compatibility with legacy systems. That said, it’s the most complex to manage long-term. 

Consider your hybrid environment carefully 

For organisations straddling cloud and on-premises worlds, hybrid environment configurations need special attention. Make sure your Azure AD Connect is up to date, and consider whether you need device writeback for on-premises scenarios. Cloud Kerberos trust is great here, eliminating many traditional hybrid headaches. 

Plan your rollout in phases 

You might want to consider starting with a pilot group of users (maybe more tech-savvy ones) who can help iron out any issues. Then expand the programme department by department, giving each group time to adjust. 

Invest in user training 

The technology might be more secure, but it’s also different. Short, focused training sessions can dramatically improve adoption rates. You’ll want to show users how much faster their logins are going to be when they move to passwordless—that should be all the convincing they need. 

Have a backup plan 

Temporary Access Passes are perfect for those “I’ve lost my phone” moments. Make sure your help desk knows how to issue them securely. 

Passwordless authentication isn’t just about better security, although it certainly delivers that. It helps create a better experience for your users while dramatically reducing your attack surface. With threats like Scattered Spider actively targeting companies through social engineering and MFA fatigue, the traditional username-and-password approach simply isn’t fit for purpose anymore. 

But luckily, the tools to overcome this are already in your Entra ID setup, waiting to be configured. 

Ready to strengthen your organisation’s security posture? We help businesses implement security strategies that actually work. Get in touch to find out how we can help you make the transition to passwordless—before the next cyber threat comes knocking. 

And for more security guidance, check out our 10 essential cyber security tips and learn how to build a resilient Azure environment.