Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

5/7/2020
05:00 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Microsoft Identity VP Shares How and Why to Ditch Passwords

Passwords are on their way out, says Joy Chik, who offers guidance for businesses hoping to shift away from them.

As the security industry acknowledges World Password Day, more experts wonder how our lives would look without them. New forms of authentication are catching up, at home and at work, giving people a better sense of how insecure and costly passwords are.

Cybercriminals don't need advanced techniques when they can bet on human behavior. In its "2019 State of Password and Authentication Security Behaviors Report," the Ponemon Institute found 51% of 1,761 IT and IT security pros reused an average of five total passwords across both business and personal accounts. Nearly 70% admitted to sharing their passwords with colleagues.

It's a dangerous habit. After all, the complexity of a password doesn't matter if it falls into the wrong hands, says Joy Chick, corporate vice president of identity at Microsoft. "If they get hold of one password, they know they can use it [to] pry open more of our digital lives," she wrote in a blog post. "A single compromised password, then, can create a chain reaction of liability."

On average, one in every 250 corporate accounts is compromised each month. The expense of passwords grows as companies adopt more business applications. Now companies dedicate 30% to 60% of their support desk calls to resetting passwords.

"Password reset is one of the highest support costs, especially in enterprise customers," Chik tells Dark Reading.

Consumers have grown more wary of cybercrime and are becoming aware of authentication's role in protecting their information.

"We all understand the need to have second-factor authentication in addition to passwords," she explains. "Even though that is understood as more secure, the challenge is users have a hard time dealing with multiple passwords for multiple services." A second factor, on top of password management, becomes overwhelming.

The primary reason multifactor authentication (MFA) has been slow to catch on is user friction, she says, and it's a struggle that organizations of all sizes are trying to work through. Adding a second factor on top of requiring a password could also increase support costs as businesses deploy new authentication policies.

As more people learn about and adopt passwordless authentication, they seem to prefer it. A Visa survey published earlier this year found 68% of US shoppers had left an online purchase because they forgot a password, had trouble logging in, or experienced issues getting a one-time password. More than half (53%) of credit-card holders who responded said they would switch banks if their current provider didn't have biometric authentication options. Two-thirds viewed these options as easier and faster than traditional passwords, researchers found. 

Employees are catching on to the passwordless trend.

"We have reached over 150 million unique users on a monthly basis using passwordless options as a way to authenticate against services and applications," says Chik of Microsoft and Azure Active Directory. It's a 50% jump in six months. Microsoft data shows the use of biometrics for work accounts is poised to double in 2010, as nearly 25% of companies already use or plan to deploy biometrics in the near future.

Microsoft's IT team adopted passwordless logins, Chik wrote, and now 90% of employees sign in sans passwords. As a result, the hard and soft costs of supporting passwords dropped 87%.

Abandoning Passwords? Factors to Consider
When considering new forms of authentication, Chik says its essential to keep a password replacement strategy in mind. She advises businesses to think through all the different factors, both primary and secondary, they plan to offer employees. If someone relies on a mobile authentication app and their device is lost or stolen, how will you replace their password so they can be productive? How will you backup data and restore it; what will be your fallback mechanisms? If an employee uses a security key, how will you ensure they are given two?

Security teams should think about their environments. Before they are provisioned with passwordless authentication, employees should go through a pilot program or proof-of-concept so they can test the technology before adopting it.

"That also reduces friction of the typical top-down IT mandate in terms of policies," Chik notes. Employees can test their options while satisfying the business requirement for stronger authentication practices.

Another important factor to consider is how the organization will remove passwords from legacy environments. Indeed, as more organizations brace themselves for a prolonged period of working from home, many are thinking about how their security practices will change.

"They need a new strategy of helping end users to be productive and have security at the same time," Chik says.

Related Content:

 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register
Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MarkSitkowski
50%
50%
MarkSitkowski,
User Rank: Moderator
5/14/2020 | 11:31:30 PM
In Defence of the Humble Password
Passwords have had a lot of bad press in recent years, most of which was almost certainly well-deserved. However, despite the obvious limitations, they do have considerable appeal, in that users find them extremely easy to remember, and convenient to enter. Further, unlike fingerprints, iris-scans, colonoscopies, or other intrusive identification techniques, they respect your privacy, and can be changed at will. The fact of the matter is, that passwords themselves are one hundred percent secure, as long as they only exist in our minds. What destroys their security, is when we tell them to the outside world

An article on ResearchGate, with the same title as that of this post, examines the issues with passwords, and concludes that it's not the password which is insecure - it's the way we enter it.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/3/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4035
PUBLISHED: 2020-06-03
In WatermelonDB (NPM package "@nozbe/watermelondb") before versions 0.15.1 and 0.16.2, a maliciously crafted record ID can exploit a SQL Injection vulnerability in iOS adapter implementation and cause the app to delete all or selected records from the database, generally causing the app to...
CVE-2020-13783
PUBLISHED: 2020-06-03
D-Link DIR-865L Ax 1.20B01 Beta devices have Cleartext Storage of Sensitive Information.
CVE-2020-13784
PUBLISHED: 2020-06-03
D-Link DIR-865L Ax 1.20B01 Beta devices have a predictable seed in a Pseudo-Random Number Generator.
CVE-2020-13785
PUBLISHED: 2020-06-03
D-Link DIR-865L Ax 1.20B01 Beta devices have Inadequate Encryption Strength.
CVE-2020-13786
PUBLISHED: 2020-06-03
D-Link DIR-865L Ax 1.20B01 Beta devices allow CSRF.