author photo
By Devon Warren-Kachelein
Fri | Sep 17, 2021 | 9:21 AM PDT

Fast-forward a decade from now and imagine teaching emerging cybersecurity professionals about an obsolete thing called a password.

Maybe you'll even talk about the day that Microsoft announced the ability to go passwordless. And that day just happened.

Part of the reason is what you might call the human factor.

Password problems because of the human factor

Manual and annoying for a long time, passwords were a key technology, beginning in the early digital age, to protect servers, accounts, and eventually email.

Except there was a problem. Passwords were repeatedly proven to be ineffective because people forgot them, hackers stole them, and programs guessed them.  

Microsoft sees the troubling password landscape like this:

Graphic depicting how new passwords that are secure enough are hard to remember.

Graphic depicting how a new password that is easy to remember is not secure enough.

Microsoft's latest move to turn off passwords, however, may indicate passwords are headed the way of cassette tapes, Betamax, and rotary telephones.

A pilot project started in March 2021. Now, it is available to any user with a Microsoft account.

Evolving technology reduces reliance on passwords

It's not surprising Microsoft has worked towards a passwordless world. Bill Gates himself began talking about the death of the password back in 2004.

Almost 100% of organizations today are largely embracing two-step or multi-factor authentication (MFA) and ditching passwords. In 2020, a study by LastPass said 92% of those polled believed passwordless solutions were the future for their organization.

Still, 85% of those polled did not believe passwords were going away completely.

Even if passwords don't completely disappear (and there are still password purists), MFA can limit or eliminate the need for remembering complex passwords and significantly reducing the chances of hacking.

"Hackers don't break-in, they log in," says Microsoft CISO Bret Arsenault.

thumbnail image 3 of blog post titled 
	
	
	 
	
	
	
				
		
			
				
						
							Introducing password removal for Microsoft Accounts

Joy Chik, Microsoft's Corporate Vice President of Identity, blogged about developing the ability for passwordless log-in. She said human predictability is one of the top reasons bad actors can access accounts, even if they are using outdated technology.

"Since attackers only need a single password to breach an account and start infiltrating an organization, it's alarming that one in 100 people 'protect' a critical account with easily guessed passwords. The most common passwords from 2011, such as 123456abc123, and iloveyou, are still on the list of top 20 (worst) passwords!"

Chik believes cutting out passwords and using the new verification method could reduce the risk by up to 99.9%.

How does it work and is it trustworthy?

Microsoft's model relies on downloading its app for authentication. Some users found mostly positives, while others were concerned about the security measures around using a mobile phone application for log-in. 

Other feedback online included ways to better perfect authentication methods.

Either way, Microsoft is taking a step forward into a passwordless reality. Share your thoughts on potential threats and problems you see in the comments below.

This is how to turn off your Microsoft password

Microsoft is already inviting users to try going passwordless. Below, find an easy breakdown to try it out at your organization.

  1. Download the Microsoft Authenticator app onto your device. From there, make sure it is linked to your Microsoft account. You will also need to set up security info on your mobile to receive a text message or phone call. Find additional instructions here.
  1. Sign into your Microsoft account, then choose Advanced Security Options > Passwordless Account > Select Turn On.
  2. Follow the prompts on your screen and approve the notification from your Authenticator App.

That's all it takes. 

Learn more about a passwordless future at our SecureWorld Rockies virtual conference, where Rhett Saunders, Director of Cybersecurity and Compliance and a SecureWorld Advisory Council member, will speak on this topic.

Comments