As part of the corporation’s plans to go passwordless, Microsoft has said it will allow its users to switch to app-based authentication logins.
Starting on Wednesday, according to a Microsoft blog post, users can now remove passwords from their accounts, and instead use the Authenticator app, Windows Hello, a security key, or a verification code to log in. This feature is set to be “rolled out over the coming weeks”.
“For the past couple of years, we’ve been saying that the future is passwordless, and today I am excited to announce the next step in that vision,” said Vasu Jakkal, Microsoft’s corporate vice-president, security, compliance and identity.
— Microsoft (@Microsoft) September 15, 2021
“Passwords are an outdated form of authentication, with bad user experience, weak security, and added helpdesk burden all rolled into one,” said Callan.
“Digital identity policies centered around public key infrastructure (PKI) automation provide a fundamentally more usable and more secure authentication model. Digital certificates do all the work behind the scenes by way of a private key embedded inside the authenticating device and a PIN or biometric check to ensure the device is in the correct user’s hands.
“Users have a better and more understandable experience, and a host of well-known password-stealing attacks are no longer a threat. It’s better for the user, and better for IT.”
World Password Day: What to consider when it comes to authentication
Passwords “an Achilles heel”
With passwords becoming increasingly difficult to keep track of for users, Steve Bradford, senior vice-president EMEA at SailPoint, believes that while Microsoft’s decision to go passwordless has raised some eyebrows, passwords can serve as “an Achilles heel” for users.
Bradford explained: “While they can make it slightly more difficult for someone to gain access into something – it’s not impossible. Whether it’s a pet name, a favourite holiday destination or even a random word, all too often they are easily guessed, stolen, hacked and put on the Dark Web for sale. It’s human nature to make them memorable, but this doesn’t bode well when it comes to keeping them secure.
“Microsoft is making security-forward steps when it comes to removing passwords and instead focusing on authentication apps. User identity is integral to security and creating a zero-trust model. The next step would be to look at the concept of dissolving privileges – meaning that those who have not accessed a system for more than 30 days for example, would totally lose access, or if an employee is on holiday, the access controls would change. This helps to ensure that only the right people have access to the right information at the right time, which is far more important.”