It has been announced by Microsoft that users can now delete all passwords from their accounts and instead log in using an authenticator app or other solution. If passwordless login is enabled, users re-logging into a Microsoft account will be asked to give their fingerprint, or other secure unlock, on their mobile phone.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
<p>Microsoft’s decision to abolish passwords is raising a few eyebrows; however, passwords can be an Achilles heel for those who do use them. While they can make it slightly more difficult for someone to gain access to something – it’s not impossible. Whether it’s a pet name, a favourite holiday destination, or even a random word, all too often they are easily guessed, stolen, hacked, and put on the Dark Web for sale. It’s human nature to make them memorable, but this doesn’t bode well when it comes to keeping them secure. </p>
<p>Microsoft is making security-forward steps when it comes to removing passwords and instead focusing on authentication apps. User identity is integral to security and creating a zero-trust model. The next step would be to look at the concept of dissolving privileges – meaning that those who have not accessed a system for more than 30 days for example, would totally lose access, or if an employee is on holiday, the access controls would change. This helps to ensure that only the right people have access to the right information at the right time, which is far more important.</p>
<p><span id=\"m_-955454723366296442m_-6315167461583603899gmail-docs-internal-guid-2819df29-7fff-4512-e1d3-098ed6e6cc06\">Passwords are an outdated form of authentication, with bad user experience, weak security, and added helpdesk burden all rolled into one. Digital identity policies centered around public key infrastructure (PKI) automation provide a fundamentally more usable and more secure authentication model. Digital certificates do all the work behind the scenes by way of a private key embedded inside the authenticating device and a PIN or biometric check to ensure the device is in the correct user’s hands. Users have a better and more understandable experience, and a host of well-known password-stealing attacks are no longer a threat. It’s better for the user, and better for IT.</span></p>
<p>Any announcement that signals a move toward at least trying to take passwords out of circulation is a welcome move in the right direction. However, unless you completely eradicate the password as opposed to just using it less in the authentication process, a sizeable risk still exists. There seem to be some devils in Microsoft’s details. When they announced passwordless in March, they didn\’t actually let people remove the password, they just let them not use it. In fact, the user is still able to switch back and forth based on user preference. Not surprisingly, it’s also Microsoft account-specific (<a title=\"http://hotmail.com/\" href=\"http://hotmail.com/\" target=\"_blank\" rel=\"noopener\" data-saferedirecturl=\"https://www.google.com/url?q=http://hotmail.com/&source=gmail&ust=1631883285465000&usg=AFQjCNHhQXJMbWcj5Xka60L-W-1zo2RJmA\">hotmail.com</a> and <a title=\"http://outlook.com/\" href=\"http://outlook.com/\" target=\"_blank\" rel=\"noopener\" data-saferedirecturl=\"https://www.google.com/url?q=http://outlook.com/&source=gmail&ust=1631883285465000&usg=AFQjCNG2iMZqqpQJYFOOCUuITaQegyiIRw\">outlook.com</a> domains) as it requires “the Microsoft Authenticator app installed and linked to your personal Microsoft account.” So, this can confuse users into thinking they are ‘passwordless’ when they are not.</p>
<p style=\"font-weight: 400;\">This move from Microsoft is a sign of things to come for online security. The future of personal account logins will undoubtedly be passwordless, as more systems will rely on robust authentication procedures rather than requiring users to remember passwords that are often not strong enough, or too complex to remember. </p>
<p style=\"font-weight: 400;\">We have known for some time that multi-factor authentication is one of the strongest ways to protect an account, as access to multiple devices and biometric data is required for access. With this system in place, it becomes much harder for threat actors to compromise an account.</p>
<p style=\"font-weight: 400;\">More companies will be moving towards this, as Apple added features in iOS 15 to prepare for a similar move towards more secure logins and to drop the use of passwords.</p>
<p>With password requirements becoming more complex, users often recycle old passwords or reuse passwords on multiple websites. This makes passwords a vulnerability hackers can target via brute force attacks or the use of password duplication across multiple accounts.</p>
<p>With companies still storing passwords in readable formats and the popularity of adversaries posting compromised passwords online, users security is continually at risk. Passwordless accounts could an extremely effective way forward in the battle against cybercriminals and protecting our networks.</p>
<p>In June, the infamous ransomware attack against Colonial Pipeline was the result of the theft and use of one single password, that had been reused on a previously compromised website</p>
<p>The added protection 2FA provides has increased the difficulty for hackers attempting to infiltrate a network, however, it is important to remind ourselves that this is still not a completely foolproof method. Hackers have previously been able to contact a victim’s carrier and swap the sim card to a new one to hijack incoming 2FA authentication codes. Android users are also at risk of downloading a malicious copy of an authentication app that copies the codes and forwards them onto the hackers.</p>
<p>The bottom line is, that 2FA is currently the safest option when keeping data and accounts safe. Whilst any password measures have their vulnerabilities, making it harder for an attacker by having passwordless accounts may be the step towards reducing the high risks of phasing and password attacks.</p>