Passwords, especially weak ones, lead to ID Theft and fraud. Microsoft has taken the first steps towards a passwordless future. Initially for enterprise users, but consumers can also use it.
What is a password? Commonly it is a mix of at least six upper/lower-case letters, numbers, and symbols. Many use the same password for their online accounts, video/audio/game accounts, banking, phones and PCs. Most use memorable passwords with meaning to them – pets name, birthdate, address and so on. And cybercriminal loves that because all these meaningful things are stored in your dark web profile waiting for AI to make a connection and steal your ID.
To generalise, a brute force attack on any dictionary word is solved in seconds. Let’s say your name and password is Darryl. Add some case changes, numbers and symbols and voila D@rryl*2021 can take years to brute force. Although cybercriminals are cognisant of vowel substitution like @ replacing A, € relacing E, 1 replacing I, and too many use * and a year, so that is not the best password.
What are the alternatives to passwords?
In a word, biometrics – be it a fingerprint, your real-time image, retina scan, or DNA. All will become common. But that means the world needs standards so you can use biometrics to log into everything. And yes, a criminal could hack off your finger to log in, so it is not foolproof.
Who is driving the passwordless future?
The Microsoft Intelligent Security Association (MISA) is an ecosystem of security partners who have integrated their solutions with Microsoft to defend against increasingly sophisticated cyber threats. Four MISA members—YubiKey, HID Global, Trustkey, and AuthenTrend – stood out for their efforts in driving passwordless technology adoption across industries.
For example, Yubico created the passwordless YubiKey hardware to help businesses achieve the highest level of security at scale. We will be reviewing that soon.
This is initially about accessing your Microsoft account or Microsoft apps. It will take time before it can access more third-party accounts.
Google and Apple are working on similar projects too.
What about consumers?
Currently, Microsoft Authenticator App for Android and iOS is more business-focused as it also controls access to business/government/school accounts that use Microsoft Azure Cloud and Active Directory. It is also only for your Microsoft account and Microsoft Office, Outlook, and Teams apps.
Microsoft urges consumers first to enable Windows Hello on their PC – face (if supported), fingerprint (if supported), use USB security key or use multi-factor authentication such as a push notification to a smartphone.
Once consumers are happy with Windows Hello, they can load Microsoft Authenticator to remove passwords from the account and go passwordless.
We love the concept, but it is not ready for widespread use yet outside the Microsoft world.
There are privacy issues when you step outside the MS, Google or Apple world as a single login can track your every move. In that case, a good password manager may be better to maintain your privacy.