Endpoint

4/26/2017
02:40 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Microsoft App Aims to Delete the Password

Microsoft has officially launched its Authenticator app designed to simplify and secure user logins, raising questions about the future of password-free authentication.

Microsoft took another step toward eliminating passwords with the general availability release of its Authenticator application designed to swap traditional password authentication with push notifications.

Users typically fail at creating and managing their passwords. Despite the risks of using simple passwords, and using the same password for multiple accounts, users continue to favor convenience over security. Researchers discovered the most common password of 2016 was "123456."

The idea behind Authenticator is to simplify security by eliminating the need for passwords that require upper and lowercase letters, numbers, special characters, emojis, secret handshakes, etc., and moving the core of authentication from human memory to the device.

After downloading Microsoft Authenticator for iOS or Android devices, you add account information and just enter your username when accessing those websites. Instead of entering a password, you get a push notification. Tap "Approve," and you're logged in.

"We wanted to make it super easy for you to prove who you are," says Alex Simons, director of program management for Microsoft's identity division. The first step was getting rid of instances where you're used to typing in passwords.

"Passwords, overall, are a nuisance," he continues. "If you want to be secure, you have to manage all these different passwords for different services … but no one can do that. No one can make 20, 30, 40 different passwords in a secure way."

This isn't Microsoft's first foray into password elimination. Authenticator's implementation model, he says, is similar to that of Windows Hello, which lets users log into Windows 10 devices using biometric authentication. 

Authenticator is initially geared towards consumers, says Simons, and there are about 800 million consumers actively using Microsoft accounts on a monthly basis. The company has plans for a business rollout, starting with a public preview later this fall, but anticipates faster adoption among consumers.

The authentication app works with online Microsoft accounts, as well as with Facebook-, Google-, and other user accounts.

Simplifying user access was one of the goals behind Authenticator. The other was to make it harder for criminals to break into devices.

Paul Cotter, senior security architect with West Monroe Partners, says Microsoft's update is arguably an improvement on "normal passwords" because users need to physically have their phones to access their accounts.

"The problem with a password is if someone finds your password, they can use it from any physical location to gain access to multiple online services," he explains. "With a phone authentication, a hacker would need the physical phone to be able to compromise."

However, he argues, Microsoft isn’t really "killing the password" with Authenticator.

"This is still a single-authentication method," Cotter explains. "There is still only one thing -- in this case, a phone rather than a password, that authenticates identity."

Multi-factor authentication is "the best answer to poor passwords,"he says, and is required to increase security because it diversifies authentication, making it tougher for thieves and cybercriminals to break into devices.

It's worth noting here that Microsoft views its App as two-factor authentication, but acknowledges there are multiple interpretations of what constitutes two-factor authentication. It views the phone as the first factor, and the PIN or fingerprint on the device as the second factor. Each sign-in requires both, the company explains.

Bad actors may need physical phone access to bypass Authenticator, but Cotter notes that phones are also easy to break into. People use simple passcodes (think "1234"), so moving authentication from person to device may only be shifting the risk.

Cotter also notes that biometric authentication could potentially run into problems with the Fifth Amendment. A few years back, courts determined a person could not be required to provide a password under the Fifth Amendment (the right to not self-incriminate). However, they can be compelled to provide a fingerprint that will unlock a device.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
4/29/2017 | 6:45:04 PM
Re: 40 different passwords
@Dr.T: Yes.  You can.  Top InfoSec experts now advise that you actually do write down your passwords (randomly generated with entropy by a computer, of course) -- and then put that writing in a truly safe place (good place: your wallet, a locked safe; bad place: on a sticky note on your monitor, your desk, or in your top desk drawer).
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
4/29/2017 | 6:43:07 PM
Re: common password
In a way, this is a sort of InfoSec Darwinism.

But on the other hand, bad security by one actor decreases the security of all others -- especially if hashes and/or plaintext security information get compromised.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
4/29/2017 | 6:42:10 PM
Bah to biometrics-only
I argued against this approach vehemently in a three-part series two years ago for InformationWeek: informationweek.com/software/operating-systems/bypassing-the-password-part-1-windows-10-scaremongering/a/d-id/1319969

Biometrics-only makes security weaker, the biometric data is still as easily compromised as the password data, and biometrics are much more limited (you only have so many fingers and eyes and whatnot).  Plus the other issues addressed in this piece.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/27/2017 | 12:44:09 PM
Multi-factor authentication
 

"Multi-factor authentication is "the best answer to poor passwords,"

This makes sense, we just need to go beyond one factor. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/27/2017 | 12:43:53 PM
40 different passwords
 

"No one can make 20, 30, 40 different passwords in a secure way."

I think this can be done. You just related it to something you deal with everyday.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/27/2017 | 12:43:34 PM
Microsoft Authenticator
 

"After downloading Microsoft Authenticator for iOS or Android devices"

What happens if I do not have a cell phone with me at that time. That is going to be a problem. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/27/2017 | 12:43:14 PM
common password
 

"Researchers discovered the most common password of 2016 was "123456.""

Glad that we passed beyond "password"
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/27/2017 | 12:42:54 PM
No password
Glad to hear Microsoft initiative to get rid of password. That is one of the main reason we saw rise of security issues in my view.
jigyubae
50%
50%
jigyubae,
User Rank: Apprentice
4/26/2017 | 10:36:50 PM
aA
Good, thanks
'Hidden Tunnels' Help Hackers Launch Financial Services Attacks
Kelly Sheridan, Staff Editor, Dark Reading,  6/20/2018
Tesla Employee Steals, Sabotages Company Data
Jai Vijayan, Freelance writer,  6/19/2018
Inside a SamSam Ransomware Attack
Ajit Sancheti, CEO and Co-Founder, Preempt,  6/20/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-7682
PUBLISHED: 2018-06-22
Micro Focus Solutions Business Manager versions prior to 11.4 allows a user to invoke SBM RESTful services across domains.
CVE-2018-12689
PUBLISHED: 2018-06-22
phpLDAPadmin 1.2.2 allows LDAP injection via a crafted server_id parameter in a cmd.php?cmd=login_form request, or a crafted username and password in the login panel.
CVE-2018-12538
PUBLISHED: 2018-06-22
In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storage...
CVE-2018-12684
PUBLISHED: 2018-06-22
Out-of-bounds Read in the send_ssi_file function in civetweb.c in CivetWeb through 1.10 allows attackers to cause a Denial of Service or Information Disclosure via a crafted SSI file.
CVE-2018-12687
PUBLISHED: 2018-06-22
tinyexr 0.9.5 has an assertion failure in DecodePixelData in tinyexr.h.