Microsoft took another step toward eliminating passwords with the general availability release of its Authenticator application designed to swap traditional password authentication with push notifications.
Users typically fail at creating and managing their passwords. Despite the risks of using simple passwords, and using the same password for multiple accounts, users continue to favor convenience over security. Researchers discovered the most common password of 2016 was "123456."
The idea behind Authenticator is to simplify security by eliminating the need for passwords that require upper and lowercase letters, numbers, special characters, emojis, secret handshakes, etc., and moving the core of authentication from human memory to the device.
After downloading Microsoft Authenticator for iOS or Android devices, you add account information and just enter your username when accessing those websites. Instead of entering a password, you get a push notification. Tap "Approve," and you're logged in.
"We wanted to make it super easy for you to prove who you are," says Alex Simons, director of program management for Microsoft's identity division. The first step was getting rid of instances where you're used to typing in passwords.
"Passwords, overall, are a nuisance," he continues. "If you want to be secure, you have to manage all these different passwords for different services … but no one can do that. No one can make 20, 30, 40 different passwords in a secure way."
This isn't Microsoft's first foray into password elimination. Authenticator's implementation model, he says, is similar to that of Windows Hello, which lets users log into Windows 10 devices using biometric authentication.
Authenticator is initially geared towards consumers, says Simons, and there are about 800 million consumers actively using Microsoft accounts on a monthly basis. The company has plans for a business rollout, starting with a public preview later this fall, but anticipates faster adoption among consumers.
The authentication app works with online Microsoft accounts, as well as with Facebook-, Google-, and other user accounts.
Simplifying user access was one of the goals behind Authenticator. The other was to make it harder for criminals to break into devices.
Paul Cotter, senior security architect with West Monroe Partners, says Microsoft's update is arguably an improvement on "normal passwords" because users need to physically have their phones to access their accounts.
"The problem with a password is if someone finds your password, they can use it from any physical location to gain access to multiple online services," he explains. "With a phone authentication, a hacker would need the physical phone to be able to compromise."
However, he argues, Microsoft isn’t really "killing the password" with Authenticator.
"This is still a single-authentication method," Cotter explains. "There is still only one thing -- in this case, a phone rather than a password, that authenticates identity."
Multi-factor authentication is "the best answer to poor passwords,"he says, and is required to increase security because it diversifies authentication, making it tougher for thieves and cybercriminals to break into devices.
It's worth noting here that Microsoft views its App as two-factor authentication, but acknowledges there are multiple interpretations of what constitutes two-factor authentication. It views the phone as the first factor, and the PIN or fingerprint on the device as the second factor. Each sign-in requires both, the company explains.
Bad actors may need physical phone access to bypass Authenticator, but Cotter notes that phones are also easy to break into. People use simple passcodes (think "1234"), so moving authentication from person to device may only be shifting the risk.
Cotter also notes that biometric authentication could potentially run into problems with the Fifth Amendment. A few years back, courts determined a person could not be required to provide a password under the Fifth Amendment (the right to not self-incriminate). However, they can be compelled to provide a fingerprint that will unlock a device.