Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:00 PM
Connect Directly

Microsoft Identity VP Shares How and Why to Ditch Passwords

Passwords are on their way out, says Joy Chik, who offers guidance for businesses hoping to shift away from them.

As the security industry acknowledges World Password Day, more experts wonder how our lives would look without them. New forms of authentication are catching up, at home and at work, giving people a better sense of how insecure and costly passwords are.

Cybercriminals don't need advanced techniques when they can bet on human behavior. In its "2019 State of Password and Authentication Security Behaviors Report," the Ponemon Institute found 51% of 1,761 IT and IT security pros reused an average of five total passwords across both business and personal accounts. Nearly 70% admitted to sharing their passwords with colleagues.

It's a dangerous habit. After all, the complexity of a password doesn't matter if it falls into the wrong hands, says Joy Chick, corporate vice president of identity at Microsoft. "If they get hold of one password, they know they can use it [to] pry open more of our digital lives," she wrote in a blog post. "A single compromised password, then, can create a chain reaction of liability."

On average, one in every 250 corporate accounts is compromised each month. The expense of passwords grows as companies adopt more business applications. Now companies dedicate 30% to 60% of their support desk calls to resetting passwords.

"Password reset is one of the highest support costs, especially in enterprise customers," Chik tells Dark Reading.

Consumers have grown more wary of cybercrime and are becoming aware of authentication's role in protecting their information.

"We all understand the need to have second-factor authentication in addition to passwords," she explains. "Even though that is understood as more secure, the challenge is users have a hard time dealing with multiple passwords for multiple services." A second factor, on top of password management, becomes overwhelming.

The primary reason multifactor authentication (MFA) has been slow to catch on is user friction, she says, and it's a struggle that organizations of all sizes are trying to work through. Adding a second factor on top of requiring a password could also increase support costs as businesses deploy new authentication policies.

As more people learn about and adopt passwordless authentication, they seem to prefer it. A Visa survey published earlier this year found 68% of US shoppers had left an online purchase because they forgot a password, had trouble logging in, or experienced issues getting a one-time password. More than half (53%) of credit-card holders who responded said they would switch banks if their current provider didn't have biometric authentication options. Two-thirds viewed these options as easier and faster than traditional passwords, researchers found. 

Employees are catching on to the passwordless trend.

"We have reached over 150 million unique users on a monthly basis using passwordless options as a way to authenticate against services and applications," says Chik of Microsoft and Azure Active Directory. It's a 50% jump in six months. Microsoft data shows the use of biometrics for work accounts is poised to double in 2010, as nearly 25% of companies already use or plan to deploy biometrics in the near future.

Microsoft's IT team adopted passwordless logins, Chik wrote, and now 90% of employees sign in sans passwords. As a result, the hard and soft costs of supporting passwords dropped 87%.

Abandoning Passwords? Factors to Consider
When considering new forms of authentication, Chik says its essential to keep a password replacement strategy in mind. She advises businesses to think through all the different factors, both primary and secondary, they plan to offer employees. If someone relies on a mobile authentication app and their device is lost or stolen, how will you replace their password so they can be productive? How will you backup data and restore it; what will be your fallback mechanisms? If an employee uses a security key, how will you ensure they are given two?

Security teams should think about their environments. Before they are provisioned with passwordless authentication, employees should go through a pilot program or proof-of-concept so they can test the technology before adopting it.

"That also reduces friction of the typical top-down IT mandate in terms of policies," Chik notes. Employees can test their options while satisfying the business requirement for stronger authentication practices.

Another important factor to consider is how the organization will remove passwords from legacy environments. Indeed, as more organizations brace themselves for a prolonged period of working from home, many are thinking about how their security practices will change.

"They need a new strategy of helping end users to be productive and have security at the same time," Chik says.

Related Content:

Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register
Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-19
IBM Resilient SOAR V38.0 could allow a privileged user to create create malicious scripts that could be executed as another user. IBM X-Force ID: 198759.
PUBLISHED: 2021-04-19
A Memory Corruption Vulnerability in Autodesk FBX Review version 1.4.0 may lead to remote code execution through maliciously crafted DLL files.
PUBLISHED: 2021-04-19
The user may be tricked into opening a malicious FBX file which may exploit a Null Pointer Dereference vulnerability in FBX's Review causing the application to crash leading to a denial of service.
PUBLISHED: 2021-04-19
A user may be tricked into opening a malicious FBX file which may exploit a Directory Traversal Remote Code Execution vulnerability in FBX’s Review causing it to run arbitrary code on the system.
PUBLISHED: 2021-04-19
A user may be tricked into opening a malicious FBX file which may exploit a use-after-free vulnerability in FBX's Review causing the application to reference a memory location controlled by an unauthorized third party, thereby running arbitrary code on the system.