If you are on the internet, you have heard about “passwordless” and “passkeys.” Much like me, you have also heard enough about it. I spoke quite a bit about passkeys recently as an example. The idea or the spirit of the idea is pretty good. Let’s try to get to a world without passwords to battle the ransomware goblins. This article is the natural progression of my onboarding article found here.
Today, I have spent a ton of time evaluating TAP (Temporary Access Passes) to see if these ideas are crazy or actually attainable by human beings. Today we will cover:
- What are Temporary Access Passes?
- Configuring Temporary Access Passes
- Different Ways to Use TAPs During Onboarding
- Using TAP for Web-Based Sign-In
- What’s My Preferred Choice and Final Thoughts
What are Temporary Access Passes?
A TAP is a time-limited and ideally single-use code that can be used to onboard authentication methods or log into a PC under certain scenarios. A few examples are enrolling via OOBE, logging in when “web-based sign-in” is enabled (and it should be). That’s a bit of foreshadowing, we will get into it later on.
One of the nice things about TAP is that it is considered to be an MFA for bootstrapping purposes. It’s incredibly important that they are managed appropriately for that very reason. TAP should ideally be part of HR onboarding processes like Entra Governance Lifecycle Workflows. Other ways you can use them are with PowerShell scripts or other workflow technologies as necessary.
TAP can also be used to help with recovering authentication factors like FIDO2 security keys or Microsoft Authenticator.
Configuring Temporary Access Passes
Below, I cover how to setup TAP, which is pretty easy. You will go into the authentication method and enable it. Once enabled (and scoped if necessary), you create passes for users.
In addition as Microsoft references, you can use PowerShell to create TAPs for a user:
# Create a Temporary Access Pass for a user
$properties = @{}
$properties.isUsableOnce = $True
$properties.startDateTime = '2022-05-23 06:00:00'
$propertiesJSON = $properties | ConvertTo-Json
New-MgUserAuthenticationTemporaryAccessPassMethod -UserId [email protected] -BodyParameter $propertiesJSONI think it’s good to be aware of a few limitations:
- You have 10 minutes after logging in to register passwordless methods otherwise it breaks.
- Users with a SSPR policy or Identity Protection MFA registration policies need to register auth methods after signing in with a TAP.
- TAP can’t be used with NPS or ADFS (big surprise).
- Cannot be used with Hybrid devices for registration e.g. OOBE.
Different Ways to Use TAPs During Onboarding
There are many different ways that we can use TAPs. I figured it would be good to show them on display. Much like my friend Figment (yes, I spend way too much time in Disney) it’s only limited to your IMAGINATION!
Firstly, we can enroll in OOBE with TAP:
We can also use TAP to enroll in Microsoft Authenticator:
If you’re interested in what it looks like on iOS side you can look at this video:
Once we are enrolled in Authenticator, we can then use that to enroll during OOBE:
Using TAP for Web-Based Sign-In
You can enable web-based sign-in with this simple Settings Catalog setting below (requires Windows 11, 22H2+):
In addition, you can also leverage a few other keys optionally which control the domains that can use Web Sign-In or the Webcam for biometrics authentication:
- ConfigureWebSignInAllowedUrls
- ConfigureWebCamAccessDomainNames
Both of those are available in the same settings category (Authentication)
Simply, you can see below that the globe icon, becomes available as a sign-in option invoking modern auth windows to login. It’s an absolute must if you are going to support passwordless authentication workflows:
Final Thoughts
This is a shorter article than I would normally write. I felt that TAP was best accentuated with videos because it’s an amazing user experience. I was particularly impressed with the Bluetooth mobile authentication that is on display with passkey enrollments during OOBE. So, the main question is what do I think is the best way to go passwordless in OOBE?
My preferred choice after evaluating every option is to use the Temporary Access Pass to enroll in Authenticator, activate your passkey, and use your mobile device to enroll during OOBE. It felt the most natural and honestly was the coolest looking of all options. Synergistically it’s also great since you don’t need to go back to the TAP well to ask for another pass. Hopefully a few of you will check it out, because it’s easy to get started and very empowering technology.
