Endpoint
4/26/2017
02:40 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Microsoft App Aims to Delete the Password

Microsoft has officially launched its Authenticator app designed to simplify and secure user logins, raising questions about the future of password-free authentication.

Microsoft took another step toward eliminating passwords with the general availability release of its Authenticator application designed to swap traditional password authentication with push notifications.

Users typically fail at creating and managing their passwords. Despite the risks of using simple passwords, and using the same password for multiple accounts, users continue to favor convenience over security. Researchers discovered the most common password of 2016 was "123456."

The idea behind Authenticator is to simplify security by eliminating the need for passwords that require upper and lowercase letters, numbers, special characters, emojis, secret handshakes, etc., and moving the core of authentication from human memory to the device.

After downloading Microsoft Authenticator for iOS or Android devices, you add account information and just enter your username when accessing those websites. Instead of entering a password, you get a push notification. Tap "Approve," and you're logged in.

"We wanted to make it super easy for you to prove who you are," says Alex Simons, director of program management for Microsoft's identity division. The first step was getting rid of instances where you're used to typing in passwords.

"Passwords, overall, are a nuisance," he continues. "If you want to be secure, you have to manage all these different passwords for different services … but no one can do that. No one can make 20, 30, 40 different passwords in a secure way."

This isn't Microsoft's first foray into password elimination. Authenticator's implementation model, he says, is similar to that of Windows Hello, which lets users log into Windows 10 devices using biometric authentication. 

Authenticator is initially geared towards consumers, says Simons, and there are about 800 million consumers actively using Microsoft accounts on a monthly basis. The company has plans for a business rollout, starting with a public preview later this fall, but anticipates faster adoption among consumers.

The authentication app works with online Microsoft accounts, as well as with Facebook-, Google-, and other user accounts.

Simplifying user access was one of the goals behind Authenticator. The other was to make it harder for criminals to break into devices.

Paul Cotter, senior security architect with West Monroe Partners, says Microsoft's update is arguably an improvement on "normal passwords" because users need to physically have their phones to access their accounts.

"The problem with a password is if someone finds your password, they can use it from any physical location to gain access to multiple online services," he explains. "With a phone authentication, a hacker would need the physical phone to be able to compromise."

However, he argues, Microsoft isn’t really "killing the password" with Authenticator.

"This is still a single-authentication method," Cotter explains. "There is still only one thing -- in this case, a phone rather than a password, that authenticates identity."

Multi-factor authentication is "the best answer to poor passwords,"he says, and is required to increase security because it diversifies authentication, making it tougher for thieves and cybercriminals to break into devices.

It's worth noting here that Microsoft views its App as two-factor authentication, but acknowledges there are multiple interpretations of what constitutes two-factor authentication. It views the phone as the first factor, and the PIN or fingerprint on the device as the second factor. Each sign-in requires both, the company explains.

Bad actors may need physical phone access to bypass Authenticator, but Cotter notes that phones are also easy to break into. People use simple passcodes (think "1234"), so moving authentication from person to device may only be shifting the risk.

Cotter also notes that biometric authentication could potentially run into problems with the Fifth Amendment. A few years back, courts determined a person could not be required to provide a password under the Fifth Amendment (the right to not self-incriminate). However, they can be compelled to provide a fingerprint that will unlock a device.

Related Content:

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance & Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
4/29/2017 | 6:45:04 PM
Re: 40 different passwords
@Dr.T: Yes.  You can.  Top InfoSec experts now advise that you actually do write down your passwords (randomly generated with entropy by a computer, of course) -- and then put that writing in a truly safe place (good place: your wallet, a locked safe; bad place: on a sticky note on your monitor, your desk, or in your top desk drawer).
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
4/29/2017 | 6:43:07 PM
Re: common password
In a way, this is a sort of InfoSec Darwinism.

But on the other hand, bad security by one actor decreases the security of all others -- especially if hashes and/or plaintext security information get compromised.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
4/29/2017 | 6:42:10 PM
Bah to biometrics-only
I argued against this approach vehemently in a three-part series two years ago for InformationWeek: informationweek.com/software/operating-systems/bypassing-the-password-part-1-windows-10-scaremongering/a/d-id/1319969

Biometrics-only makes security weaker, the biometric data is still as easily compromised as the password data, and biometrics are much more limited (you only have so many fingers and eyes and whatnot).  Plus the other issues addressed in this piece.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/27/2017 | 12:44:09 PM
Multi-factor authentication
 

"Multi-factor authentication is "the best answer to poor passwords,"

This makes sense, we just need to go beyond one factor. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/27/2017 | 12:43:53 PM
40 different passwords
 

"No one can make 20, 30, 40 different passwords in a secure way."

I think this can be done. You just related it to something you deal with everyday.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/27/2017 | 12:43:34 PM
Microsoft Authenticator
 

"After downloading Microsoft Authenticator for iOS or Android devices"

What happens if I do not have a cell phone with me at that time. That is going to be a problem. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/27/2017 | 12:43:14 PM
common password
 

"Researchers discovered the most common password of 2016 was "123456.""

Glad that we passed beyond "password"
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/27/2017 | 12:42:54 PM
No password
Glad to hear Microsoft initiative to get rid of password. That is one of the main reason we saw rise of security issues in my view.
jigyubae
50%
50%
jigyubae,
User Rank: Apprentice
4/26/2017 | 10:36:50 PM
aA
Good, thanks
Cybersecurity's 'Broken' Hiring Process
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/11/2017
How Systematic Lying Can Improve Your Security
Lance Cottrell, Chief Scientist, Ntrepid,  10/11/2017
Ransomware Grabs Headlines but BEC May Be a Bigger Threat
Marc Wilczek, Digital Strategist & CIO Advisor,  10/12/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.