What is that, you say? Not using a password is more secure? Surprisingly, yes. Here's why:
Here's the scenario: A website is configured to look very similar to Microsoft 365, Gmail, or any other such site where some criminal may want to get your password. You type it in, and now they have it. They enter it either manually or automatically at the same moment and you get your MFA prompt. You approve it. Now, they're logged in even if you have MFA. Once they're in, they can quietly maintain access.
So, the solution here is to prevent them from getting your actual password. The fewer times you're typing it in, the lower the chance they'll get it.
How does it work?
You must be using the Microsoft Authenticator App for your MFA and have your account and password already configured.
Your IT admins or Managed Services Provider (like us) must have enabled it and trained your team how to use it. You can start with it being optional, and enforce it at some point when you're ready.
Now, when you log in somewhere new or untrusted, your phone will pop up a prompt to (a) approve and (b) enter a random 2 digit number that corresponds with what is on screen.
Here is how it looks in action:
You have proven your identity without typing in your password. The only way (as far as we are aware) to establish a valid login is by leveraging the existing relationship between your Microsoft account and the Authenticator app on your phone. This makes it much more secure when compared to a traditional password.
How to Set up on your Phone
After your workplace has enabled/allowed this type of log in, you set it up as shown below: