Fast-forward a decade from now and imagine teaching emerging cybersecurity professionals about an obsolete thing called a password.
Maybe you'll even talk about the day that Microsoft announced the ability to go passwordless. And that day just happened.
Part of the reason is what you might call the human factor.
Password problems because of the human factor
Manual and annoying for a long time, passwords were a key technology, beginning in the early digital age, to protect servers, accounts, and eventually email.
Except there was a problem. Passwords were repeatedly proven to be ineffective because people forgot them, hackers stole them, and programs guessed them.
Microsoft sees the troubling password landscape like this:
Microsoft's latest move to turn off passwords, however, may indicate passwords are headed the way of cassette tapes, Betamax, and rotary telephones.
A pilot project started in March 2021. Now, it is available to any user with a Microsoft account.
Evolving technology reduces reliance on passwords
It's not surprising Microsoft has worked towards a passwordless world. Bill Gates himself began talking about the death of the password back in 2004.
Almost 100% of organizations today are largely embracing two-step or multi-factor authentication (MFA) and ditching passwords. In 2020, a study by LastPass said 92% of those polled believed passwordless solutions were the future for their organization.
Still, 85% of those polled did not believe passwords were going away completely.
Even if passwords don't completely disappear (and there are still password purists), MFA can limit or eliminate the need for remembering complex passwords and significantly reducing the chances of hacking.
"Hackers don't break-in, they log in," says Microsoft CISO Bret Arsenault.
Joy Chik, Microsoft's Corporate Vice President of Identity, blogged about developing the ability for passwordless log-in. She said human predictability is one of the top reasons bad actors can access accounts, even if they are using outdated technology.
"Since attackers only need a single password to breach an account and start infiltrating an organization, it's alarming that one in 100 people 'protect' a critical account with easily guessed passwords. The most common passwords from 2011, such as 123456, abc123, and iloveyou, are still on the list of top 20 (worst) passwords!"
Chik believes cutting out passwords and using the new verification method could reduce the risk by up to 99.9%.
How does it work and is it trustworthy?
Microsoft's model relies on downloading its app for authentication. Some users found mostly positives, while others were concerned about the security measures around using a mobile phone application for log-in.
Errmm.. None of you ever lost your phone? How would I log in without my Phone (either stolen, lost or damaged)? Can somebody with just my phone log in?— Sebastian P. (@Dunnowhatname) September 16, 2021
I'd still prefer to have passwords (maybe inside a password safe) and 2-factor auth.
Other feedback online included ways to better perfect authentication methods.
Great vision, I don't like passwords. But I feel like authenticator is not a perfect solution. I think adding biometrics like fingerprints are way to go! It is easier for end user of any skillset. But Microsoft is not known for making things easier for end user like Apple.— Sant Sipahi (@SantSipahi6) September 16, 2021
Either way, Microsoft is taking a step forward into a passwordless reality. Share your thoughts on potential threats and problems you see in the comments below.
This is how to turn off your Microsoft password
Microsoft is already inviting users to try going passwordless. Below, find an easy breakdown to try it out at your organization.
- Download the Microsoft Authenticator app onto your device. From there, make sure it is linked to your Microsoft account. You will also need to set up security info on your mobile to receive a text message or phone call. Find additional instructions here.
- Sign into your Microsoft account, then choose Advanced Security Options > Passwordless Account > Select Turn On.
- Follow the prompts on your screen and approve the notification from your Authenticator App.
That's all it takes.
Learn more about a passwordless future at our SecureWorld Rockies virtual conference, where Rhett Saunders, Director of Cybersecurity and Compliance and a SecureWorld Advisory Council member, will speak on this topic.