Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

4/26/2017
02:40 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Microsoft App Aims to Delete the Password

Microsoft has officially launched its Authenticator app designed to simplify and secure user logins, raising questions about the future of password-free authentication.

Microsoft took another step toward eliminating passwords with the general availability release of its Authenticator application designed to swap traditional password authentication with push notifications.

Users typically fail at creating and managing their passwords. Despite the risks of using simple passwords, and using the same password for multiple accounts, users continue to favor convenience over security. Researchers discovered the most common password of 2016 was "123456."

The idea behind Authenticator is to simplify security by eliminating the need for passwords that require upper and lowercase letters, numbers, special characters, emojis, secret handshakes, etc., and moving the core of authentication from human memory to the device.

After downloading Microsoft Authenticator for iOS or Android devices, you add account information and just enter your username when accessing those websites. Instead of entering a password, you get a push notification. Tap "Approve," and you're logged in.

"We wanted to make it super easy for you to prove who you are," says Alex Simons, director of program management for Microsoft's identity division. The first step was getting rid of instances where you're used to typing in passwords.

"Passwords, overall, are a nuisance," he continues. "If you want to be secure, you have to manage all these different passwords for different services … but no one can do that. No one can make 20, 30, 40 different passwords in a secure way."

This isn't Microsoft's first foray into password elimination. Authenticator's implementation model, he says, is similar to that of Windows Hello, which lets users log into Windows 10 devices using biometric authentication. 

Authenticator is initially geared towards consumers, says Simons, and there are about 800 million consumers actively using Microsoft accounts on a monthly basis. The company has plans for a business rollout, starting with a public preview later this fall, but anticipates faster adoption among consumers.

The authentication app works with online Microsoft accounts, as well as with Facebook-, Google-, and other user accounts.

Simplifying user access was one of the goals behind Authenticator. The other was to make it harder for criminals to break into devices.

Paul Cotter, senior security architect with West Monroe Partners, says Microsoft's update is arguably an improvement on "normal passwords" because users need to physically have their phones to access their accounts.

"The problem with a password is if someone finds your password, they can use it from any physical location to gain access to multiple online services," he explains. "With a phone authentication, a hacker would need the physical phone to be able to compromise."

However, he argues, Microsoft isn’t really "killing the password" with Authenticator.

"This is still a single-authentication method," Cotter explains. "There is still only one thing -- in this case, a phone rather than a password, that authenticates identity."

Multi-factor authentication is "the best answer to poor passwords,"he says, and is required to increase security because it diversifies authentication, making it tougher for thieves and cybercriminals to break into devices.

It's worth noting here that Microsoft views its App as two-factor authentication, but acknowledges there are multiple interpretations of what constitutes two-factor authentication. It views the phone as the first factor, and the PIN or fingerprint on the device as the second factor. Each sign-in requires both, the company explains.

Bad actors may need physical phone access to bypass Authenticator, but Cotter notes that phones are also easy to break into. People use simple passcodes (think "1234"), so moving authentication from person to device may only be shifting the risk.

Cotter also notes that biometric authentication could potentially run into problems with the Fifth Amendment. A few years back, courts determined a person could not be required to provide a password under the Fifth Amendment (the right to not self-incriminate). However, they can be compelled to provide a fingerprint that will unlock a device.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
4/29/2017 | 6:45:04 PM
Re: 40 different passwords
@Dr.T: Yes.  You can.  Top InfoSec experts now advise that you actually do write down your passwords (randomly generated with entropy by a computer, of course) -- and then put that writing in a truly safe place (good place: your wallet, a locked safe; bad place: on a sticky note on your monitor, your desk, or in your top desk drawer).
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
4/29/2017 | 6:43:07 PM
Re: common password
In a way, this is a sort of InfoSec Darwinism.

But on the other hand, bad security by one actor decreases the security of all others -- especially if hashes and/or plaintext security information get compromised.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
4/29/2017 | 6:42:10 PM
Bah to biometrics-only
I argued against this approach vehemently in a three-part series two years ago for InformationWeek: informationweek.com/software/operating-systems/bypassing-the-password-part-1-windows-10-scaremongering/a/d-id/1319969

Biometrics-only makes security weaker, the biometric data is still as easily compromised as the password data, and biometrics are much more limited (you only have so many fingers and eyes and whatnot).  Plus the other issues addressed in this piece.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/27/2017 | 12:44:09 PM
Multi-factor authentication
 

"Multi-factor authentication is "the best answer to poor passwords,"

This makes sense, we just need to go beyond one factor. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/27/2017 | 12:43:53 PM
40 different passwords
 

"No one can make 20, 30, 40 different passwords in a secure way."

I think this can be done. You just related it to something you deal with everyday.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/27/2017 | 12:43:34 PM
Microsoft Authenticator
 

"After downloading Microsoft Authenticator for iOS or Android devices"

What happens if I do not have a cell phone with me at that time. That is going to be a problem. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/27/2017 | 12:43:14 PM
common password
 

"Researchers discovered the most common password of 2016 was "123456.""

Glad that we passed beyond "password"
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/27/2017 | 12:42:54 PM
No password
Glad to hear Microsoft initiative to get rid of password. That is one of the main reason we saw rise of security issues in my view.
jigyubae
50%
50%
jigyubae,
User Rank: Apprentice
4/26/2017 | 10:36:50 PM
aA
Good, thanks
4 Tips to Run Fast in the Face of Digital Transformation
Shane Buckley, President & Chief Operating Officer, Gigamon,  12/9/2019
US Sets $5 Million Bounty For Russian Hacker Behind Zeus Banking Thefts
Jai Vijayan, Contributing Writer,  12/5/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4245
PUBLISHED: 2019-12-11
Orca has arbitrary code execution due to insecure Python module load
CVE-2013-4593
PUBLISHED: 2019-12-11
RubyGem omniauth-facebook has an access token security vulnerability
CVE-2013-6495
PUBLISHED: 2019-12-11
JBossWeb Bayeux has reflected XSS
CVE-2013-7370
PUBLISHED: 2019-12-11
node-connect before 2.8.2 has cross site scripting in methodOverride Middleware
CVE-2019-18935
PUBLISHED: 2019-12-11
Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote cod...