“They will have to go into the Active Directory server and turn off the ability within the Microsoft Authenticator app. It’s not really about blocking all apps. It seems to be about blocking particular Authenticator mechanisms for those apps,” Longsine said, before adding an exasperated comment that CISOs might want to consider surrendering and simply accelerate their passkey plans. “It’s probably easier to start migrating to passkeys than figuring out the exception procedures.”
From an authentication perspective, it is all but universally agreed that passkeys deliver far more robust security than passwords and passphrases. What is more complicated is the way most enterprises plan on deploying passkeys.
To get end users, whether they are employees, contractors, customers, or overseas partners for supply chain, manufacturing, or shipping, comfortable with passkeys, just about all enterprises will retain existing passwords as a fallback for when the passkey fails. Analysts estimate that password retention may last anywhere from one to four years, depending on the enterprise’s vertical, geographies, and other compliance considerations.
