Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

5/7/2020
05:00 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Microsoft Identity VP Shares How and Why to Ditch Passwords

Passwords are on their way out, says Joy Chik, who offers guidance for businesses hoping to shift away from them.

As the security industry acknowledges World Password Day, more experts wonder how our lives would look without them. New forms of authentication are catching up, at home and at work, giving people a better sense of how insecure and costly passwords are.

Cybercriminals don't need advanced techniques when they can bet on human behavior. In its "2019 State of Password and Authentication Security Behaviors Report," the Ponemon Institute found 51% of 1,761 IT and IT security pros reused an average of five total passwords across both business and personal accounts. Nearly 70% admitted to sharing their passwords with colleagues.

It's a dangerous habit. After all, the complexity of a password doesn't matter if it falls into the wrong hands, says Joy Chick, corporate vice president of identity at Microsoft. "If they get hold of one password, they know they can use it [to] pry open more of our digital lives," she wrote in a blog post. "A single compromised password, then, can create a chain reaction of liability."

On average, one in every 250 corporate accounts is compromised each month. The expense of passwords grows as companies adopt more business applications. Now companies dedicate 30% to 60% of their support desk calls to resetting passwords.

"Password reset is one of the highest support costs, especially in enterprise customers," Chik tells Dark Reading.

Consumers have grown more wary of cybercrime and are becoming aware of authentication's role in protecting their information.

"We all understand the need to have second-factor authentication in addition to passwords," she explains. "Even though that is understood as more secure, the challenge is users have a hard time dealing with multiple passwords for multiple services." A second factor, on top of password management, becomes overwhelming.

The primary reason multifactor authentication (MFA) has been slow to catch on is user friction, she says, and it's a struggle that organizations of all sizes are trying to work through. Adding a second factor on top of requiring a password could also increase support costs as businesses deploy new authentication policies.

As more people learn about and adopt passwordless authentication, they seem to prefer it. A Visa survey published earlier this year found 68% of US shoppers had left an online purchase because they forgot a password, had trouble logging in, or experienced issues getting a one-time password. More than half (53%) of credit-card holders who responded said they would switch banks if their current provider didn't have biometric authentication options. Two-thirds viewed these options as easier and faster than traditional passwords, researchers found. 

Employees are catching on to the passwordless trend.

"We have reached over 150 million unique users on a monthly basis using passwordless options as a way to authenticate against services and applications," says Chik of Microsoft and Azure Active Directory. It's a 50% jump in six months. Microsoft data shows the use of biometrics for work accounts is poised to double in 2010, as nearly 25% of companies already use or plan to deploy biometrics in the near future.

Microsoft's IT team adopted passwordless logins, Chik wrote, and now 90% of employees sign in sans passwords. As a result, the hard and soft costs of supporting passwords dropped 87%.

Abandoning Passwords? Factors to Consider
When considering new forms of authentication, Chik says its essential to keep a password replacement strategy in mind. She advises businesses to think through all the different factors, both primary and secondary, they plan to offer employees. If someone relies on a mobile authentication app and their device is lost or stolen, how will you replace their password so they can be productive? How will you backup data and restore it; what will be your fallback mechanisms? If an employee uses a security key, how will you ensure they are given two?

Security teams should think about their environments. Before they are provisioned with passwordless authentication, employees should go through a pilot program or proof-of-concept so they can test the technology before adopting it.

"That also reduces friction of the typical top-down IT mandate in terms of policies," Chik notes. Employees can test their options while satisfying the business requirement for stronger authentication practices.

Another important factor to consider is how the organization will remove passwords from legacy environments. Indeed, as more organizations brace themselves for a prolonged period of working from home, many are thinking about how their security practices will change.

"They need a new strategy of helping end users to be productive and have security at the same time," Chik says.

Related Content:

 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register
Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17478
PUBLISHED: 2020-08-10
ECDSA/EC/Point.pm in Crypt::Perl before 0.33 does not properly consider timing attacks against the EC point multiplication algorithm.
CVE-2020-15648
PUBLISHED: 2020-08-10
Using object or embed tags, it was possible to frame other websites, even if they disallowed framing using the X-Frame-Options header. This vulnerability affects Thunderbird < 78 and Firefox < 78.0.2.
CVE-2020-15649
PUBLISHED: 2020-08-10
Given an installed malicious file picker application, an attacker was able to steal and upload local files of their choosing, regardless of the actually files picked. *Note: This issue only affected Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox ESR...
CVE-2020-15650
PUBLISHED: 2020-08-10
Given an installed malicious file picker application, an attacker was able to overwrite local files and thus overwrite Firefox settings (but not access the previous profile). *Note: This issue only affected Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Fir...
CVE-2020-15651
PUBLISHED: 2020-08-10
A unicode RTL order character in the downloaded file name can be used to change the file's name during the download UI flow to change the file extension. This vulnerability affects Firefox for iOS < 28.