Microsoft's 4-Step Plan for Eliminating Passwords

It's no secret in enterprises that end users can be the largest security threat in an organization, and that passwords often are the way hackers get into the corporate network.

In its 2017 Data Breach Investigations report, Verizon reports that 81% of hacking-related breaches occurred because of stolen or weak passwords.

Since the introduction of the Windows 10 operating system almost three years ago, Microsoft officials have been vocal in their push to rid the computing world of letters, numbers and figures in favor of other identification options, which can include two- and multi-factor authentication and biometric technologies like fingerprint and voice and face recognition.

(Source: Security Now)

In a blog post this week, the company upped the anti-password campaign and laid out a four-step process for moving into an era where passwords are no longer used.

"Nobody likes passwords," Karanbir Singh, principal program manager for enterprise and security at Microsoft, wrote in the blog post, adding:

"They are inconvenient, insecure, and expensive. In fact, we dislike them so much that we've been busy at work trying to create a world without them -- a world without passwords. At its core, our fundamental philosophy is simple: devalue the password, and replace it with something that eradicates its use for the end user and drains its value for an attacker."

Singh acknowledge the significant role passwords have played over the past decades in the lives of PC users, adding that "to fully get rid of them, not only do we need to address all that is bad with them, we also need to acknowledge all that is good; they are familiar, portable, and can be used almost everywhere." (See SunTrust Investigation Shows Continuing Threats Posed by Insiders.)

The first of the four steps in the password-elimination process calls for creating replacement technologies that "address the shortcomings of passwords while embracing their positive attributes," he wrote.

For Microsoft, that began with the introduction of Windows Hello in Windows 10. The biometric technology enables users to log into their Windows PCs or other devices through fingerprint, facial or iris scans, which the company says is three times faster than using traditional passwords. According to Microsoft, more than 47 million users worldwide leverage Windows Hello and more than 5,000 companies are using Windows Hello for Business on more than 1 million commercial systems and devices.

A weakness in the technology is obvious in shared-PC situations, though Singh wrote that the company is working on developing portable credentials for such scenarios.

Microsoft also created its Authenticator app, a two-factor verification technology for users who want to access their Microsoft account through their Apple or Android smartphones. After getting into the smartphone via their password for the device, users can verify their identity with the app, which can either send a notification when the user signs in or can automatically generate a new verification code every 30 seconds.

In addition, Redmond has been working with the Fast Identity Online (FIDO) group and it working to bring the FIDO2 security keys to Windows Hello. The FIDO2 security keys enable users to bring their credential with them wherever they go and use it for authentication to a shared Windows 10 PC that's joined to Azure Active Directory.

The fundamentals of network security are being redefined -- don't get left in the dark by a DDoS attack! Join us in Austin from May 14-16 at the fifth-annual Big Communications Event. There's still time to register and communications service providers get in free!

Microsoft officials say the technology could help in such situations as a helpdesk, a hospital -- allowing staff to access patient records on a device -- and in the public sector, where policies might dictate that the user's credential has to be kept physically separate from the device.

The feature currently is in limited preview, Singh wrote.

In the Windows 10 April 2018 update, Microsoft introduced Windows 10 in S mode.

This lets cloud users with a Managed Service Account (MSA) or Azure AD to use their S mode-enabled Windows 10 PCs without having to type in a password. Users do this by installing the Authenticator app on their smartphone and setting it up using their MSA or Azure AD account, and then installing the Windows 10 April 2018 update with the S mode enabled. They then set up the Windows Hello account and use the Authenticator apps to sign into the account.

In addition, Microsoft earlier this year said it will use Fujitsu's PalmSecure palm vein authentication technology in Windows 10 Pro to sign into systems. (See Windows 10 Bypassing Passwords With Fujitu's PalmSecure Biometrics.)

Once the first step of finding alternatives to passwords, the next step in getting rid of them altogether is ensuring that those times when a user needs to type in a password -- such as provisioning an account, accessing applications or setting up a new device -- can work with password replacements. Enabling users and IT administrators to simulate and transition to password alternative technologies is the third step, followed by what Singh called "the final frontier -- delete passwords from the identity directory."

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.