Securely Issue a Microsoft Temporary Access Pass (TAP) with Nametag

Today we’re excited to announce that Nametag can now be used to issue a Microsoft Temporary Access Pass (TAP). Entra ID administrators can now enable users to receive a TAP in a secure environment through Nametag Autopilot, our self-service account recovery solution. This follows Nametag’s integration as an External Authentication Method (i.e. MFA factor) for both Microsoft Entra and Okta.

What is a Microsoft Temporary Access Pass (TAP)?

A Temporary Access Pass (TAP) is a time-limited passcode that can be configured for single or multiple use. A TAP can be thought of as a bypass code which allows a user to sign in to Microsoft Entra and other Microsoft Cloud products. Microsoft recommends using TAPs in a few specific scenarios:

• To “bootstrap” passwordless authentication methods––use a TAP to verify someone before allowing them to enroll a new passwordless MFA method. 
• For account recovery, when someone loses or forgets an authentication method.
• To verify guest access to Microsoft Entra, like when adding a new guest user.

Attackers are TAPping at the Door

Because a Temporary Access Pass is basically a bypass code, it’s critical to know exactly who is actually receiving the TAP; imagine sending one to help a user get back into their accounts, only to discover it was an imposter up to no good. This sort of helpdesk social engineering scenario is exactly what took down MGM Resorts.

In addition, TAPs can only be issued by IT staff and are not usable for Microsoft’s default Self-Service Password Reset (SSPR) system. This means that to receive a TAP, users have to contact your IT helpdesk, creating an expensive and time-consuming support ticket. Nametag’s Microsoft TAP integration solves both of these challenges.

How to Verify Someone Before Issuing a Microsoft TAP

Typically, a Temporary Access Pass can only be issued by a helpdesk agent. But how does that agent know that the user requesting the TAP is really who they claim to be? All of your options are either insecure or prohibitively time-consuming:

• Hardware security keys offer high security, but are difficult to issue and manage at scale. As a result, many users requesting a TAP may not have a hardware key.
• One-time passcodes (OTPs) via text message or call are notoriously easy to intercept via trojan, SIM swap, or social engineering.
• Push notifications to Microsoft Authenticator can be exploited by push fatigue attacks. Also, if a user has changed their MFA device, they likely don’t have access to Authenticator at all.
• Security questions may as well be called "insecurity questions" because answers are typically available online, and users frequently forget the answers.
• Visual verification calls can take hours or even days to arrange, and attackers can now convincingly spoof live calls with deepfake video emulators.

With our Deepfake Defense identity verification engine, Nametag is the only way to truly know who's asking you to send them a TAP. You can use Nametag for secure TAP issuance in two ways: self-service and agent-assisted.

Secure Self-Service TAP Issuance with Nametag

Enterprises typically issue a Temporary Access Pass to users who need to recover access to their account, set up guest access, or verify a new hire before they set up multi-factor authentication. Now, instead of making them contact your helpdesk, you can simply send them to Nametag. Users can receive a TAP in a secure, high-assurance way all on their own, all through Nametag Autopilot, our turnkey solution for self-service account recovery.

1. Scan QR code. Users navigate to your custom-branded account recovery microsite, powered by Nametag. They scan a QR code to launch Nametag, no app download or pre-enrollment required.

2. Verify identity. Users quickly verify themselves by scanning a government-issued ID and taking a selfie. Our Deepfake Defense™ identity verification engine verifies them in seconds.

3. Receive a TAP. Users return to your Nametag-powered account recovery microsite, where they can now receive a TAP with just a single click.

Watch a demo of Nametag's end-user experience →

Agent-Assisted Secure TAP Issuance with Nametag

Many enterprises use Microsoft TAPs in a wide range of scenarios beyond account recovery and onboarding. We support these use cases equally well thanks to Nametag Copilot, our out-of-the-box console for helpdesk agents. Copilot is a great option for organizations which aren't ready to move to self-service TAP issuance, or who are concerned about social engineering attacks on their helpdesk.

Verifying someone with Nametag Copilot is fast and intuitive.

1. Send a link. Create and share a verification request via your normal support channels in two clicks. Users tap the link to open Nametag on their phone, no pre-enrollment or app download required.‍
2. Verify their identity. Nametag's Deepfake Defense engine scans the user’s government-issued ID, matches it to their live selfie, and verifies both captures.
3. ‍Act with confidence. Verification results update in real time in your console, so helpdesk agents can focus on providing great service and resolving more tickets, more quickly.

Watch a demo of helpdesk verification with Nametag →

Get Started with Entra Account Protection through Nametag

Secure Microsoft TAP issuance through Nametag is easy to set up. You can get started in just 10 minutes: simply sign up for a free trial, integrate your Entra tenant (and other identity providers if you wish), and customize your branding. It really is that easy.

Secure Microsoft TAP issuance combines with Nametag’s Entra MFA, Entra account recovery, and helpdesk verification solutions to deliver end-to-end account protection for Entra. Learn more about Entra account protection with Nametag, then contact us to request a demo or discuss in person.