Microsoft Fully Ditches the PasswordWindows Users Can Now Use Other Methods to Access Microsoft Products
Microsoft has officially gone fully passwordless, allowing Windows users to replace their alphanumeric passwords with one of several substitute sign-in technologies to gain entry into a Microsoft product - a move received positively by industry insiders.
See Also: Case Study: The Road to Zero Trust
Vasu Jakkal, Microsoft's corporate vice president for security, compliance and identity, said in a blog post that these new sign-in options, which have been available to commercial customers since March, will become available to all Windows users on Oct. 13.
"Beginning today, you can now completely remove the password from your Microsoft account," she says. "Use the Microsoft Authenticator app, Windows Hello, a security key, or a verification code sent to your phone or email to sign in to your favorite apps and services."
Microsoft says its customers can still opt to use passwords, but it hopes that by making it easy to go passwordless, users will choose to do so.
Passwordless access has been available on Windows 10 since 2019, and the company has been slowly spreading this type of access throughout its product portfolio over the past few years.
Industry insiders agree with Microsoft's line of thought and say businesses and consumers should adopt any technology that helps remove the need for passwords.
"Passwords are one of the easily compromised components within a company. To mitigate risk, organizations should either establish a tight password policy or switch to a passwordless model, much like Microsoft is doing. The latter will be far more efficient," says Mohit Tiwari, co-founder and CEO at the cloud security firm Symmetry Systems.
Kevin Converse, identity and access management practice lead for professional services at the security firm GuidePoint Security, says going passwordless is a necessary defensive tool that companies should implement.
"With the recent focus on zero trust by [the Office of Management and Budget], many are realizing that a passwordless environment is a key component for organizations looking to implement zero trust and get a handle on access management as cloud and remote work continues to dominate," Converse says. "This announcement makes directional sense, given where the business community is heading."
Bert Kashyap, CEO and co-founder at SecureW2, calls Microsoft's move "great for security" but notes several potential roadblocks, including potential recovery issues if access to the Authenticator App is lost.
"While this is good for security, is this desirable for end users? Will people be willing to use their personal phones with an Authenticator? Something else to consider is that by depending on “something that you have,” it can be a poor user experience if the phone is lost," he says.
TJ Jermoluk, co-founder and CEO of Beyond Identity, notes that the user must fully remove their old passwords from the system for the passwordless functionality to be effective.
"Unless you completely eradicate the password, as opposed to just using it less in the authentication process, sizeable risk still exists," Jermoluk says. This can confuse users into thinking they are ‘passwordless’ when they are not."
Microsoft has provided a pathway to fully remove any passwords during the sign-on process for the Authenticator app, the company says.
Keep It Simple Stupid
Microsoft says over the past several years it has created and implemented multiple simple methods designed to encourage people to sign up for one of its passwordless systems by removing complexity from the maneuver.
Users can go passwordless by downloading the Microsoft Authenticator App, which helps a person sign in to an account when using two-factor verification, the company says, by sending a PIN to a mobile phone or email or a time-based one-time password.
Microsoft introduced Windows Hello in 2015 for businesses and consumers. The company says that the technology uses biometrics and users can set it up to recognize fingerprints, an iris, face or PIN.
Passwords Are Bad
Jakkal listed numerous reasons why Microsoft has been working toward abandoning the password for the last several years.
"Weak passwords are the entry point for the majority of attacks across enterprise and consumer accounts. There are a whopping 579 password attacks every second - that's 18 billion every year," she notes.
The general reason why attackers direct so much energy toward obtaining passwords is twofold. First, it's easier and more beneficial to enter a target's network by first obtaining an authentic password, and second, people make passwords so easy to steal or decipher.
Creating complex passwords is difficult. They are hard to remember, and the number now required since people have so many accounts makes them hard to manage, Jakkal says.
"I was shocked to learn that nearly a third of people say they completely stop using an account or service rather than dealing with a lost password. That's not only a problem for the person stuck in the password cycle, but also for businesses losing customers," she notes.
To make it easier on themselves, Jakkal says, people dip into familiar wells to come up with passwords. They use pet names, family member names and common phrases. They also reuse passwords they already know across multiple sites.
"We also found 1 in 10 people admitted reusing passwords across sites, and 40% say they've used a formula for their passwords, like Fall2021, which eventually becomes Winter2021 or Spring2022," she says.
All of these machinations play directly into a hacker's hands as many have the skills and tools to take advantage of lax password creation.
"A quick look at someone's social media can give any hacker a head start on logging into their personal accounts," he says. "They can use automated password spraying to try many possibilities quickly. They can use phishing to trick you into putting your credentials into a fake website."