The FIDO Alliance (Fast Identity Online Alliance) recently awarded Microsoft Hello, Microsoft’s Windows facial recognition system, FIDO2 certification. With this certification, Windows devices can use biometrics — such as facial recognition, fingerprint, or FIDO2 security keys — to authenticate to devices.
While this news is Microsoft focused, it’s part of a broader push to depreciate the reliance on passwords for online authentication. FIDO2 is a set of authentication standards that enable biometric logins to applications and websites. The long-term hope is that biometric authentication proves to be more secure than passwords and thereby makes users less susceptible to phishing attacks, stolen passwords through keystroke loggers and other frequent attacks.
In the Microsoft Hello FIDO2 certification press announcement, Yogesh Mehta, group manager leading the crypto, identity and authentication Azure Core OS wrote: “No one likes passwords (except hackers). People don’t like passwords because we have to remember them. As a result, we often create passwords that are easy to guess—which makes them the first target for hackers trying to access your computer or network at work.”
That’s certainly all true. And it’s why the move to rid passwords from the authentication process is welcomed by many, and won’t stop with Microsoft’s efforts. Back in 2015, The FIDO Alliance contributed its FIDO 2.0 specifications to the the World Wide Web Consortium (W3C) to develop what’s called WebAuthn. WebAuthn enables users to authenticate to websites, services, and mobile apps using an authenticator other than a password.
This means browsers and websites that don’t already will be able to support biometric authentication.
As for the recent Microsoft announcement, Microsoft users should be able to use Windows Hello to log onto Office 365, Outlook, Skype and other Microsoft services.
Does this mean we are on the brink of a universe free of passwords? Not anytime soon.
First, all enterprises would have to embrace the FIDO2 standard and its various implementations. Second, all of these systems enable backup authentication systems, and Windows Hello is no different. And these backup authenticators are typically what? You got it: passwords. Windows Hello allows users to use a PIN as its backup authenticator. While many users will be using their face to authenticate to their devices, they will still have a password lurking in the background.
*** This is a Security Bloggers Network syndicated blog from Cybersecurity Matters – DXC Blogs authored by Cybersecurity Matters. Read the original post at: https://blogs.dxc.technology/2019/06/12/what-does-microsofts-move-mean-for-passwords/