Delegated access for Microsoft Graph API allows an application to get access of Azure resources on behalf of an user. But, the user has to log in using traditional (Password based) or other authentication methods like Microsoft Authenticator, passkeys etc. But, for this user log in process, even if the user is using passkeys, the system is mostly reliant on the web browser. Passkeys are supposed to make authentication process easier. I mean it does remove the pain of typing username and password, followed by an MFA but it can be even better. Currently, the application opens the web browser to an authorization URL, then the user can log in. The user will choose 'Sign-in options', then 'Face, Fingerprint, PIN or Security Key.' The user will use the passkey, then confirm login with another dialog box, then confirm saving session with another. The website will then return an authorization code, which in turn is used to get the bearer token and then a successful Graph API call can be made. And on top of that, passkey based login is usually not available on Linux platforms because Windows Hello is not supported.
This traditional workflow is dependent on a modern web browser, which consumes a lot of memory. Further, it request the user to make 5 to 7 clicks, and takes about 40 to 45 seconds to complete. It is a tedious process and takes a lot of time and resources. Also, not to add the terrible UX.
With this study here, we are proposing a new workflow which is entirely based on the console. It just prompts the user for the passkey and it hardly takes 1 or 2 clicks from the user and completes the authentication process in under 10 seconds. It is not dependent on the web browser and can be integrated into any application. It is not resource hungry like the traditional workflow. Further it can be used better in thin clients and IoT, Edge computing devices better. Watch the attached video for a demo.