Microsoft Expands Passwordless Sign-on to All Accounts

Microsoft for the past few years has been among the loudest vendors calling for a security future that doesn’t include passwords. In 2018, the software giant took the step of doing away with passwords for people signing into its Edge web browser, saying instead they could use a number of alternatives.

Since then, the company has steadily cast off the need for passwords for various accounts, and by May 2020, 150 million people had stopped using passwords. In March, Microsoft brought passwordless sign-in to commercial enterprises around the world.

Now the company is expanding the passwordless push to all Microsoft accounts. Users can choose among options such as the Microsoft Authenticator app, Windows Hello biometric technology, a security key compatible with the FIDO-2 (Fast Identity Online) standard, or a verification code that can be sent to a phone or email. This covers a range of applications and services, including Outlook, OneDrive and Microsoft Family Safety, and will be rolled out in the coming weeks.

Passwords are Unpopular

“Nobody likes passwords,” Vasu Jakkal, corporate vice president for security, compliance and identity at Microsoft, wrote in a blog post today. “They’re inconvenient. They’re a prime target for attacks. Yet for years they’ve been the most important layer of security for everything in our digital lives – from email to bank accounts, shopping carts to video games.”

In a recent Microsoft Twitter poll, one in five people reported they would rather accidentally ‘reply all’ Than reset a password

People are “expected to create complex and unique passwords, remember them, and change them frequently, but nobody likes doing that either,” Jakkal wrote. “In a recent Microsoft Twitter poll, one in five people reported they would rather accidentally ‘reply all’ – which can be monumentally embarrassing – than reset a password.”

Microsoft is not the only vendor to put passwords in its crosshairs. Other vendors, including Duo, Okta, Entrust, IBM and Thales, all offer password alternatives. Apple will let Safari browser users use Face ID and Touch ID to access websites and enables them to get services without passwords via the Passkeys protocol. Google automatically makes account holders use two-factor authentication.

Further reading: Best Password Managers & Tools for 2021

The Weakest Security Link

To Microsoft, the reasons for doing away with passwords are obvious, starting with the fact that they are the weakest link in the security chain and bad actors know it. Jakkal noted that there are 579 password attacks every second, or 18 billion a year. Repeating passwords, not changing them, and using default passwords make guessing passwords through “brute force” attacks easier.

The World Economic Forum in a statement last year noted that the global economy loses $2.9 million every second to cybercrime and that 80 percent of attacks are directed at passwords. A large company on average spends $1 million a year on password resets.

The push to shift from passwords to other methods of authentication makes sense, given how they are often the easiest to remember for users and thus the easiest to guess for hackers, according to Tyler Shields, chief marketing officer at security firm JupiterOne.

“Security has always been a balance of ease of use and security,” Shields told eSecurity Planet. “The cybersecurity vendor community must drive towards creating easy-to-use cybersecurity experiences that deliver an acceptable level of security to the technologies that the consumers demand. A good example of this is the move to single sign-on and passwordless authentication.”

Further reading: Top 10 Single Sign-On Solutions

Passwordless Slows Phishing Attacks

David Gochenaur, senior director of global cybersecurity at managed services provider Ensono, told eSecurity Planet that passwordless authentication will help thwart phishing attacks and protect credentials from hackers.

“With the set of credentials, the threat actor has full access to the resources the now-compromised user had access to,” Gochenaur said. “Removing the password as part of the authentication process handcuffs the threat actor in what unauthorized activities can be performed. Where previously, the actor could gain access to a device, move laterally across an organization and launch a ransomware attack, now the actor could be prevented from gaining that initial all-important foothold.”

That said, phishing attacks can still cause damage, he said, adding that a hacker while looking for credentials may “find information about corporate or personal bank accounts, credit card accounts and other personal or confidential business information. The actor does not need credentials to direct a user to a malicious website to gain information.”

Human Nature vs. Hacker Nature

Passwords are vulnerable for two reasons, Jakkal wrote. Users mostly create their own passwords, which have gotten increasingly complex to include symbols, numbers and case sensitivity. In addition, the system usually will not allow the use of previous passwords. Often users are asked to create updated passwords and forgetting them can cause a range of problems. Jakkal wrote that almost a third of people will stop using an account or service rather than deal with a lost password.

Instead, users create passwords they can remember, which rely on known and personal words and phrases. A Microsoft survey found that 15 percent of people use their pets’ names in passwords, with other common themes being family names and birthdays and other important dates. One in 10 people reuse passwords for multiple sites and 40 percent said they use a formula for passwords, like Fall2021 may become Winter2021.

Hackers have an easier time guessing such passwords, getting inspiration from a user’s social media. In addition, they have tools like automated password spraying – which tries many possibilities quickly – and phishing attacks. And when passwords are dumped on the dark web, it’s even easier to guess passwords for other accounts.

“Passwords are one of the easily compromised components within a company,” Mohit Tiwari, co-founder and CEO of security firm Symmetry Systems, told eSecurity Planet. “To mitigate risk, organizations should either establish a tight password policy or switch to a passwordless model, much like Microsoft is doing. The latter will be far more efficient.”

Even Multi-factor Can Be Hacked

The problem is that human behavior is predictable when it comes to passwords, which is why bad actors are still successful in most attacks targeting passwords even while using tools that are three decades old, according to Joy Chik, corporate vice president of identity at Microsoft. In addition, they only need to find a single password to breach an account and get into an organization’s environment.

The use of two-step verification – using a password and an additional security factor like a verification text – by the security industry over the past 10 years reduced the risk of compromise by 99.9 percent, Chik wrote in a blog post. However, she said, hackers already are finding ways around the second step, which means passwords remain vulnerable. She linked to a 2019 Microsoft blog post that noted that “virtually all authenticators in common use today – phones, email, one-time passcode (OTP) tokens, and push notifications – are vulnerable to relatively low-cost attacks involving takeover of the communication channel used for the authenticator (Channel-Jacking) or intercept-and-replay of authentication messages using a machine-in-the-middle (Real-Time Phishing).”

The next steps for Microsoft include eliminating passwords for Azure AD accounts, leaving it up to administrators to decide whether passwords are requested, allowed or don’t exist for a set of users. In addition, the users can choose whether to set a password when creating an account or to remove their password from an existing account, she said.

Further reading: 3 Tests to Ensure Zero Trust Network Security

Jeff Burt
Jeffrey Burt has been a journalist for more than three decades, the last 20-plus years covering technology. During more than 16 years with eWEEK, he covered everything from data center infrastructure and collaboration technology to AI, cloud, quantum computing and cybersecurity. A freelance journalist since 2017, his articles have appeared on such sites as eWEEK, eSecurity Planet, Enterprise Networking Planet, Enterprise Storage Forum, The Next Platform, ITPro Today, Channel Futures, Channelnomics, SecurityNow, and Data Breach Today.

Top Products

Top Cybersecurity Companies

Related articles