Microsoft announces passwordless authentication, but are we ready to give up passwords?

Microsoft allows users to completely remove the password from their Microsoft account.
20 September 2021

Passwordless authentication may just be the new security method. Almost everything we do online requires a password today — be it unlocking mobile devices, conducting bank transactions, or accessing systems for work.

To secure passwords, users are now forced to use more characters for their passwords and more importantly, to not use the same passwords for their personal accounts, work accounts, and devices, among others.

However, the complexity of memorizing multiple passwords continues to be a thorn in the sides of enterprises and consumers. Many consumers prefer using the same password for all their authentication needs, whereas enterprises may opt to use auto-generated secure passwords as an authentication method for work purposes.

Whilst not entirely new, there is a strong case to be made for two-factor authentication (or more recently, multi-factor authentication — MFA). Platforms and sites are increasingly adding this feature for their services as an added security layer to secure log-ins and provide additional verification for user access.

Not only do users need passwords, but they also need to use another code, provided in real-time, to access their accounts. These codes can be sent through SMS, from a physical device, or through e-mail, among others.

Within the banking and finance sector, MFA has been around for a long time — think your MSOS code to authorize your credit card payment for your online purchase.

However, despite this, cybercriminals are still able to hack passwords and compromise accounts, through techniques such as purchasing from the dark web, social engineering, phishing, scams, or just plain brute forcing. In many cases, hacked databases containing passwords are often sold on the dark web for a pretty penny.

As if that’s not enough, SMS verifications can be easily hacked into today while decrypting passwords, making life much easier for cybercriminals.

Websites like haveibeenpwned serve as a public service to provide details if email accounts have been compromised and sold on the dark web. The website has revealed several major password leaks, including those from large corporations.

Earlier this year, the United Nations’ computer networks were breached — hackers made off with a trove of data that could be used to target agencies within the intergovernmental organization. Apparently, the hackers likely got in using the stolen username and password of a UN employee purchased off the dark web.

Biometric authentication

To deal with this, biometrics authentication is now becoming the go-to choice for verification for most organizations, commonly used in conjunction with password authentication.There are several biometric authentication methods available today that can enhance password security.

Some common biometric authentication methods today include fingerprint and facial recognition. Most mobile phones and laptops today require fingerprint verification for access, whereas some mobile phones use retinal scanners.

Businesses are also switching to both fingerprint and facial recognition security features to ensure that only the right people have access to company accounts and data. The biometric authentication technology continues to improve since it was first introduced with more use cases being generated for this method.

Are we ready for biometric security?

Microsoft’s push for passwordless authentication 

With biometric technology improving, Microsoft has decided to go completely passwordless for some of its products, and combine passwordless authentication with biometrics for users.

According to Vasu Jakkal, Corporate Vice President for Security, Compliance, and Identity at Microsoft, users can now completely remove the password from their Microsoft account.

“Use the Microsoft Authenticator app, Windows Hello, a security key, or a verification code sent to your phone or email to sign in to your favorite apps and services, such as Microsoft Outlook, Microsoft OneDrive, Microsoft Family Safety, and more. This feature will be rolled out over the coming weeks,” said Jakkal in a blog post.

Jakkal added that weak passwords are the entry point for the majority of attacks across enterprise and consumer accounts. There are a whopping 579 password attacks every second — making it 18 billion every year.

But how secure is passwordless authentication?

TechHQ reached out to Kevin Reed, CISO at Acronis to get his views on passwordless authentications. While Reed feels that going passwordless using biometric authentication increases security access compared to SMS verifications, there are still some considerations businesses have to look into before applying them.

“The biggest advantage of biometric authentication is that it cannot be changed. You cannot change your fingerprints. You cannot change your retina. Attackers cannot typically compromise a server and steal biometric data from a server. They can’t do this because the biometric data is not sent to the server,” said Reed.

Reed also added that enterprises should not just rely on biometric authentication to safeguard against attackers. He explained that organizations need to prioritize their defensive depth or the whole company may be compromised.

For Samuel Bakken, Director of Product Marketing, OneSpan, biometric authentication’s end-to-end security does not stop at presentation attacks on the sensor where biometric data is captured, such as replay attacks. For businesses, especially financial institutions, Bakken suggests they seriously look into the design, implementation, deployment, and configuration of their biometric authentication solution.

Despite this, it is still yet to be seen if Microsoft’s passwordless agenda be fruitful or not. The company has already experienced multiple incidences in recent times, especially with those involving its Exchange servers.

Microsoft’s passwordless authentication may be the future for them, but it may be some time before it becomes the future for everyone else. Humans are still the weakest link in cybersecurity, removing passwords and relying on biometrics might just lead to bigger problems.