On October 13th, 2021 Microsoft changed the game by releasing Passwordless, a method of logging into your devices without using a password. But it went a step further than that, by removing passwords from your Microsoft account completely.
While a more convenient method of logging in, to me this appeared to be a step in the wrong direction. Back in April of 2013 Microsoft first rolled out two factor authentication to its user base, allowing them to hugely enhance their security by preventing logins from a password alone. A multi-factor login is the highest form of security, as losing one factor alone will not compromise your account. Passwordless, however, removes a factor.
I should mention here that we’re a Microsoft partner and we love their technological innovations. While this may be the case, it’s important to be vigilent and prepare for change.
The human problem
Microsoft has released this feature to help relieve humans from the burden of remembering passwords. Quoting Vasu Jakkal, the Corporate Vice President, Security, Compliance and Identity of Microsoft: “Passwords are incredibly inconvenient to create, remember, and manage across all the accounts in our lives”. They must have missed my video on password managers!
I fully agree that passwords are a pain, though they’re a good step to preventing your accounts becoming compromised. If you take care to avoid phishing scams, a long randomised password will be safer from other methods of attack. If you store it in a password management system, you don’t need to remember it either. Plus there’s two factor to increase your security further.
By creating Passwordless, you could infer that Microsoft believes more in succumbing to a user’s desire for ease of use, rather than teaching humanity to be more secure and savvy in their technical ways.
Who is this aimed at?
While users at home will revel in this experience of no longer needing a password, they’re possibly the most at risk. With a now single factor method of breaking into their account, it brings about easier phishing attacks to uneducated users. I’d say the age old ‘never share your password with anyone’ has been around long enough, but now?
Let’s play this out. You’re at home. You’re told by a person on the phone that they’re a Microsoft engineer. They simply need a two digit number from you in order to authenticate who they’re talking to, or for them to simply use their fingerprint scanner. Boom. Your accounts were lost to a scammer. Without that password protection instinct, you may not realise until too late that the activity is malicious. Hopefully you won’t fall victim to such a scam, as you’re reading a tech blog after all, but not everyone is interested in tech.
If Microsoft are bringing about easier ways for uneducated users who don’t have password managers to log in, they should also be bringing about more awareness that this is a one stop shop for an account to be broken into. What they’re certainly not sharing is that this is an attempt to lock users into using the Microsoft authenticator, as this service doesn’t work on any other two factor authentication apps.
Within a business environment, I’d want to see two factor staying as standard. You would expect an organisation of substantial size and technological understanding to have a password manager for their users. Not all applications have a passwordless feature, and most won’t for some time. I think it’s unacceptable to reduce a user’s security down to one factor for ‘ease of use’ and to save them 10 seconds of logging in a day.
Was it the right move?
I’ve given the service a lot of flack throughout this article, which I believe to be just. There are, however, some positives. Microsoft is attempting to move the world away from an older way of thinking, towards a new age of digital security and authentication. A brave move, as attempting to make change can be met with backfire and controversy within the industry.
While I believe a better move would be to educate users on the importance of password management and security, removing the passwords is a response that gains a similar impact. You remove the problem of poor passwords, those that involve a pattern, formula or pets name. You do, however, end up with a similar problem as with passwords. A lack of education as to the vulnerabilities of the new system.
If Microsoft had taken the stance of providing awareness, for all ecosystems, it would have a greater impact. Their approach caters solely to users associated with Microsoft, also having them comply with using the Microsoft authenticator. With their resources they could have also created a password management system to license within the M365 suite, enhancing security of all of their users’ applications.
One focus that Microsoft has made with Passwordless is educating users on the importance of biometric authentication, which is hugely important for the ongoing development of authentication applications. While this education is important, I would like to see biometric become a more common second factor of authentication, rather than the only one.
Would you like to hear more about cyber security?
We’re always keen to educate ourselves and others on the ever growing world of cyber security. If you have any questions related to this blog, or any questions about Cyber Security in general, we’d love to hear them! Say email@example.com or give us a call on 01252 933633. Alternatively you can put yourself into my calendar here!