To password or not to password? The debate has raged for years now with no clear winner. But there may be a little more ‘oomph’ behind the passwordless side this week after Microsoft said users can now “completely remove” passwords from their Microsoft accounts.
That’s right, completely. And with that announcement, the tech giant made good on a promise it made last spring to bring passwordless authentication to the masses. Telling users they can now safely step away from passwords, Vasu Jakkal, corporate vice president of security, compliance and identity at Microsoft, then urged them to use the Microsoft Authenticator app, Windows Hello, a security key or a verification code sent to their phone or email to sign in to apps and services like Microsoft Outlook, Microsoft OneDrive and Microsoft Family Safety. “This feature will be rolled out over the coming weeks,” he promised in a blog post.
Passwords clearly are vulnerable. Part of the problem, of course, Jakkal said, is just human nature—the inability to remember or create ones complex enough to thwart the other part of the problem—“hacker nature.” Hackers can often guess a password simply by viewing a user’s social media profile, then use “relatively unsophisticated” tactics that “have been in play for decades,” but that still work.
“Passwords are one of the easily compromised components within a company,” said Mohit Tiwari, co-founder and CEO at Symmetry Systems. “To mitigate risk, organizations should either establish a tight password policy or switch to a passwordless model, much like Microsoft is doing. The latter will be far more efficient.”
Jakkal said he was amazed at the number of people in a recent survey—one-third—who said they would “completely stop using an account or service rather than dealing with a lost password.”
But Tyler Shields, CMO at JupiterOne, noted, “Security has always been a balance of ease of use and security. The cybersecurity vendor community must drive towards creating easy-to-use cybersecurity experiences that deliver an acceptable level of security to the technologies that the consumers demand.”
That users are willing to abandon accounts because they don’t want to deal with a lost password, Jakkal said, “is not only a problem for the person stuck in the password cycle, but also for businesses losing customers.” Microsoft’s push to go passwordless, therefore, is not simply rooted in improving security but also in supporting the business proposition.
But Joseph Carson, chief security scientist and advisory CISO at ThycoticCentrify, clarified, “We are not really living in a passwordless world,” he said. “Consider it more of a ‘less-password-interaction world,’ as passwords will continue to exist. It is about how users will interact with them less moving forward.”
Noting that “’passwordless’ is sometimes a misleading term,” Carson added, “In reality, it is all about fewer password interactions and helping move them to the background, reducing both password pain and cyber fatigue.”
Authentication, he said, “is still happening; however, it is becoming more contextual.”
Shields favors a move to single sign-on and passwordless authentication. “Users have failed to maintain proper passwords for decades; that will never change, so innovation must build an easy-to-use alternative that provides appropriate security with a much better user experience,” he said, urging enterprises to find the right balance of technology innovation alongside security for traditional models.
“Frankly, passwords are the most misused line of defense in cybersecurity. Words are only better than randomized passwords because they can be easily remembered, instead of being written down,” Shields said. “The trade-off is that the password itself is simplified and easier to guess. My recommendation is to get rid of passwords completely.”