Microsoft Identity VP Shares How and Why to Ditch Passwords

Passwords are on their way out, says Joy Chik, who offers guidance for businesses hoping to shift away from them.

As the security industry acknowledges World Password Day, more experts wonder how our lives would look without them. New forms of authentication are catching up, at home and at work, giving people a better sense of how insecure and costly passwords are.

Cybercriminals don't need advanced techniques when they can bet on human behavior. In its "2019 State of Password and Authentication Security Behaviors Report," the Ponemon Institute found 51% of 1,761 IT and IT security pros reused an average of five total passwords across both business and personal accounts. Nearly 70% admitted to sharing their passwords with colleagues.

It's a dangerous habit. After all, the complexity of a password doesn't matter if it falls into the wrong hands, says Joy Chick, corporate vice president of identity at Microsoft. "If they get hold of one password, they know they can use it [to] pry open more of our digital lives," she wrote in a blog post. "A single compromised password, then, can create a chain reaction of liability."

On average, one in every 250 corporate accounts is compromised each month. The expense of passwords grows as companies adopt more business applications. Now companies dedicate 30% to 60% of their support desk calls to resetting passwords.

"Password reset is one of the highest support costs, especially in enterprise customers," Chik tells Dark Reading.

Consumers have grown more wary of cybercrime and are becoming aware of authentication's role in protecting their information.

"We all understand the need to have second-factor authentication in addition to passwords," she explains. "Even though that is understood as more secure, the challenge is users have a hard time dealing with multiple passwords for multiple services." A second factor, on top of password management, becomes overwhelming.

The primary reason multifactor authentication (MFA) has been slow to catch on is user friction, she says, and it's a struggle that organizations of all sizes are trying to work through. Adding a second factor on top of requiring a password could also increase support costs as businesses deploy new authentication policies.

As more people learn about and adopt passwordless authentication, they seem to prefer it. A Visa survey published earlier this year found 68% of US shoppers had left an online purchase because they forgot a password, had trouble logging in, or experienced issues getting a one-time password. More than half (53%) of credit-card holders who responded said they would switch banks if their current provider didn't have biometric authentication options. Two-thirds viewed these options as easier and faster than traditional passwords, researchers found. 

Employees are catching on to the passwordless trend.

"We have reached over 150 million unique users on a monthly basis using passwordless options as a way to authenticate against services and applications," says Chik of Microsoft and Azure Active Directory. It's a 50% jump in six months. Microsoft data shows the use of biometrics for work accounts is poised to double in 2010, as nearly 25% of companies already use or plan to deploy biometrics in the near future.

Microsoft's IT team adopted passwordless logins, Chik wrote, and now 90% of employees sign in sans passwords. As a result, the hard and soft costs of supporting passwords dropped 87%.

Abandoning Passwords? Factors to Consider
When considering new forms of authentication, Chik says its essential to keep a password replacement strategy in mind. She advises businesses to think through all the different factors, both primary and secondary, they plan to offer employees. If someone relies on a mobile authentication app and their device is lost or stolen, how will you replace their password so they can be productive? How will you backup data and restore it; what will be your fallback mechanisms? If an employee uses a security key, how will you ensure they are given two?

Security teams should think about their environments. Before they are provisioned with passwordless authentication, employees should go through a pilot program or proof-of-concept so they can test the technology before adopting it.

"That also reduces friction of the typical top-down IT mandate in terms of policies," Chik notes. Employees can test their options while satisfying the business requirement for stronger authentication practices.

Another important factor to consider is how the organization will remove passwords from legacy environments. Indeed, as more organizations brace themselves for a prolonged period of working from home, many are thinking about how their security practices will change.

"They need a new strategy of helping end users to be productive and have security at the same time," Chik says.

Related Content:

Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register