Bill Gates famously predicted the death of the password back in 2004 saying traditional password-based security couldn’t meet the challenge of keeping critical information secure. Seventeen years down the track and in the midst of a pandemic which has seen both remote work and cyberattacks explode, many are still on that journey.
The way we authenticate is outdated and vulnerable and there are plenty of reasons why we need to move to more modern authentication methodology:
Hackers love passwords and passwords are under attack. Research from Verizon shows 81% of security breaches are down to weak or default passwords.
Users hate passwords. Alpha numeric passwords are hard to remember, and we’ve got too many of them. There’s no surprise passwords are frequently reused. Microsoft says up to 73% of passwords are duplicates and a Google study found 13% of people reuse the same password across all accounts.
IT also hates passwords because of the big administrative overhead. Gartner says between 20% to 50% of all help desk calls are for password resets.
I have a catch cry: Complexity is the arch enemy of security. As security professionals we have to balance security and functionality. We can make systems extremely secure, but make them too complex and users will find a way to circumvent them.
A boardroom with a 16-digit pin and fingerprint scanner on the door is very secure, but it’s not very functional and someone is going to just take a chair and jam that door open.
Microsoft is on a mission to get everyone to move passwordless to address the issue of secure, yet functional, authentication, and that mission continues with Windows 11.
They’ve received some criticism about the seemingly high hardware requirements, however, when viewed in the context of a passwordless future, those requirements make sense. It’s all to do with the Trusted Platform Module (TPM) chip – essentially a mini safe on your computer where all your biometric information can be safely stored.
The TPM chip locks the data away. Then when a user logs on it authenticates them using the scanned data on the TPM chip and sends a private key to the cloud, which holds the corresponding public key. It’s not sending your biometrics to the cloud. It’s not sending a password to the cloud. It’s simply sending a certificate that says you are who you say you are.
The journey to passwordless
The journey starts with implementing Azure Active Directory or some type of cloud authentication.
Next comes multi factor authentication (MFA). Now when you log into the cloud you get a message on your phone authenticating that it really is you logging into the cloud. According to Microsoft, implementing MFA mitigates 99% of common password attacks.
But your password is still shared and a shared secret is never good. An SMS to the phone is also not that secure, as it is delivered in clear text and leaves you vulnerable to interception. If we want to go to a high-security environment, there are three key options that provide choice with standards-based passwordless authentication:
Windows Hello, introduced in 2016 this enables you to sign in securely by showing your face or pressing your finger.
The Microsoft Authenticator app is a step up from a text message and relies on your phone authenticating you. It requires that you register in Microsoft’s cloud which gives us MFA push notifications.
Then there’s FIDO, a standards-based passwordless authentication which comes in the form of a USB key, toggle or token of some kind.
5 steps to make your cloud secure