Security doesn't have to kill productivity. Here are 5 practical ways businesses can balance strict authentication requirements with a seamless user experience.
Multi-factor authentication is non-negotiable. But the most common complaint from business owners when implementing MFA is staff resistance — the perception that security controls make work harder. When staff find authentication too burdensome, they look for workarounds: sharing sessions, staying logged in indefinitely, or using personal devices that are not subject to the controls.
The solution is not weaker security — it is smarter authentication design that applies friction where it matters most while minimising friction for routine, low-risk access patterns.
1. Windows Hello for Business: The Seamless Option
Windows Hello for Business replaces the traditional username/password/MFA code flow with biometric authentication — fingerprint or facial recognition — on managed Windows devices. It is phishing-resistant (the authentication is device-bound, not interceptable by a proxy), and from the user’s perspective, it is faster and simpler than typing a password.
The experience: the user sits at their desk, looks at the camera or puts a finger on the reader, and they are logged in. No password. No authenticator app. No code to copy.
What is required:
- Windows devices enrolled in Microsoft Intune
- Devices with compatible biometric hardware (fingerprint reader or IR camera — standard on most business laptops)
- Windows Hello for Business policy configured via Intune
For organisations on Microsoft 365 Business Premium, this is entirely achievable without additional licensing. It is the highest-security, lowest-friction authentication method available for Windows workstations.
2. Conditional Access: Risk-Based Rather Than Constant Friction
Rather than requiring MFA for every single login regardless of context, Conditional Access evaluates the risk of each access attempt and applies friction proportionate to that risk.
Low-risk access (minimal friction):
- User logging in from a managed, compliant device on the corporate network or from a known location
- Same device they have authenticated from before during normal working hours
High-risk access (MFA required):
- Login from a new device or unknown location
- Login from outside normal working hours
- Login after a risky sign-in event detected by Entra ID
- Access to sensitive applications or admin functions
This approach means staff working from their regular devices in normal circumstances face minimal authentication friction, while the same security controls catch the risky access patterns that actually matter.
How to configure: Entra ID Conditional Access → Sign-in risk policy. Require MFA when sign-in risk is “medium or high” rather than for every single sign-in.
3. Microsoft Authenticator Number Matching: Secure Without Being Slow
For scenarios where MFA is required, the method matters. Push notifications without number matching are both less secure (MFA fatigue attacks) and potentially disruptive (unintended approval).
Microsoft Authenticator with number matching is nearly as fast as a tap-to-approve — the user sees a two-digit number on the login screen, confirms it matches the number shown in the app, and approves. The entire process takes 5-10 seconds.
This is meaningfully faster than TOTP (waiting for a 30-second code window, opening the app, reading and typing the code) and provides better security against MFA fatigue attacks.
How to enable: Entra ID → Protection → Authentication methods → Microsoft Authenticator → Enable number matching and additional context.
4. Persistent Sessions on Managed Devices
Authentication tokens expire. How often they expire determines how frequently users are prompted to re-authenticate. Aggressive token expiry (every few hours) maximises security but creates significant friction for users who are re-prompted multiple times per day.
For managed devices — devices enrolled in Intune and verified as compliant — longer session persistence is an acceptable security trade-off. A compliant device that has already passed device health checks represents a lower risk than an unmanaged personal device.
How to configure: Entra ID Conditional Access → Session controls → Sign-in frequency. Set longer sessions for compliant device conditions, shorter sessions for non-compliant or unmanaged devices.
A sensible configuration: managed compliant devices get persistent browser sessions (no re-authentication on browser restart) and 7-day token expiry. Unmanaged or non-compliant devices require re-authentication more frequently.
5. Single Sign-On for All Applications
Authentication fatigue builds fastest when users must log in to multiple applications throughout the day. A sales person who logs into CRM, then email, then project management, then accounting software, then back into CRM faces a death-by-a-thousand-logins problem.
Single Sign-On (SSO) solves this: authenticate once to Entra ID, and all connected applications accept that authentication without prompting again. The user logs in once in the morning and then navigates between applications freely.
What is required: Applications that support SAML 2.0 or OpenID Connect federation with Entra ID — which covers most enterprise SaaS applications (Salesforce, HubSpot, Xero, DocuSign, and hundreds of others).
How to configure: Entra ID → Enterprise applications → Add application → Search for your application → Configure SSO. Most major SaaS vendors have step-by-step SSO setup guides for Entra ID.
With SSO in place, MFA only fires when the user authenticates to Entra ID — once per day in normal usage, or when Conditional Access detects a risky access pattern. Not every time they open a different application.
The Design Principle: Friction Where It Matters
The five approaches above share a common design principle: apply authentication friction at the risk boundaries that matter (new devices, new locations, sensitive applications, privileged actions) rather than uniformly across all access. High security without high friction is achievable with the right configuration — it just requires deliberate design rather than blanket policy.
CX IT Services configures Conditional Access, Windows Hello, and SSO for Melbourne businesses on Microsoft 365. Book a Right Fit Call to discuss your current authentication design.
