Secret Double Octopus Named “Best in Class” | Read Aite's 2021 Passwordless Report
Aite Group Passwordless Matrix Report 2021

Passwordless authentication for domain users

Passwordless in
the Domain

Octocampus

Authenticating users to a company’s network domain is synonymous with enterprise authentication. The network domain is the IT’s technical term for the company network, and authenticating users to the network, and the various business resources connected to it, is really what enterprise authentication is all about. The domain controller is the authentication service that sits on the domain network and ensures that all resources operating on it are authorized and all users asking to connect to the network and its resources are authenticated and entitled to access the network and resources joined to it.

How do you authenticate users to the company domain?

At the heart of the company domain is the domain controller, which is tasked with ensuring that all systems and applications connected to the network are authorized, and all users asking to connect to the network are authenticated and entitled to access its resources. 

Once a computer is configured to work on a specific network domain – otherwise known as joined to the domain – login is required by the user. Through this login process the domain controller authenticates the user to the network domain and also to the computer workstation itself – all in one go. For example, when a user logs into a computer that is connected to a company domain, the domain controller checks the submitted password and determines what the user is entitled to do on the network based on the role associated with that user.

If the workstation is offline, a local authentication mechanism is typically used as a fallback to allow the user to access the workstation, but not the network. When the workstation is reconnected to the network, the domain controller will require the user to authenticate to the network. 

Domain controllers most commonly use username and passwords to authenticate users. To protect high-security networks, the domain controller can be configured to require multi-factor authentication. This typically means using a smart card or one-time password token device in addition to the password.  

Why are old user authentication habits hard to shake?

Managing network domains using domain controllers has been around for many years. Once put in place, replacing, upgrading or even changing configurations on a domain controller risks locking out users or denying access to critical business systems. As a result, domain controllers are administered with extreme caution to prevent costly disruptions to business operations. Couple this conservative administration with the fact that most domain controllers have been around for many years, and you end up with antiquated authentication practices that are hard to shake. 

Active Directory – the almost ubiquitous domain controller

Microsoft Active Directory refers to a suite of capabilities initially developed to manage a company’s Windows network domain. At its heart is its domain controller called Active Directory Domain Service (AD DS). Its role is to authenticate and authorize computers and users to connect and operate on the network. 

Passwordless authentication for Active Directory users

Active Directory today is bifurcated into the legacy AD and Azure AD. Legacy AD is the on-premise version of Active Directory which has been in use by many businesses for many years to manage their Windows network domains. Azure AD is the cloud version of AD, built and marketed to support the needs of modern businesses operating in the cloud. 

Azure AD supports passwordless authentication. To enable passwordless authentication on legacy AD, it needs to be configured to work in conjunction with Azure AD or a third party solution.