Control: 5.28 Ensure passwordless authentication methods are considered
Description
Passwordless authentication methods improve security and user experience by replacing passwords with something you have (e.g., a hardware key), something you are (biometrics), or something you know, offering a convenient and secure way to access resources.
Microsoft Entra ID and Azure Government integrate the following passwordless authentication options:
- Windows Hello for Business
- Platform Credential for macOS
- Platform single sign-on (PSSO) for macOS with smart card authentication
- Microsoft Authenticator
- Passkeys (FIDO2)
- Certificate-based authentication
Remediation
- Review the passwordless authentication method options: https://learn.microsoft.com/en-us/entra/identity/authentication/conceptauthentication-passwordless.
- Choose a passwordless authentication method: https://learn.microsoft.com/enus/entra/identity/authentication concept-authentication-passwordless#choose-apasswordless-method.
- Implement the chosen passwordless authentication method.
Default Value
Passwordless authentication is not enabled by default.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v500_5_28Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v500_5_28 --shareSQL
This control uses a named query:
select id as resource, 'info' as status, 'Manual verification required.' as reason, display_name as subscriptionfrom azure_subscription;