What did Microsoft do?

Microsoft did something I’ve been hoping they’d do for a while. They finally went passwordless.

What does this mean for new users?

Instead of typing in that dreaded password, you will be finally able to set up your account with no password. No more dreaded, remember this, or save that.

Supposedly, Microsoft says it will change the success rate of people getting into their accounts from 32% to 98%. This is huge for people who don’t use password managers and struggle remembering what combination of letters and words they used to get into their account, then faffing about with a text code or MFA number. Bing bang boom, you’re in with clicking a button and a face scan from your phone.

The Pros & Cons of going Passwordless

Now, there’s a few pro’s and cons i want to address, lets start with the good things.

Pros

• Remembering Passwords - You no longer need to remember your passwords! That’s a win in and of itself. The amount of times I’ve worked with people, as well as the industry as a whole work with people who have forgotten their passwords is not an insignificant number. General reports show that between 30-40% of IT calls are to reset passwords.

• Removing, not Replacing Passwords - In other security methodologies, like MFA, we added factors, not removed factors. This specifically removes a method of logging in and replaces it with something more secure, device level authentication, with the added benefit of biometric login, improving security and non-repudiation.

Cons

• Changing Devices - I’ve had my share of changing devices, and let me tell you, if its anything like the way Microsoft Authenticator MFA is set up, then we have a problem. Changing MFA codes specifically with Microsoft when changing devices, can really hamper productivity. It requires you to set up every account on the new Authenticator app, significantly impacting the benefit and simplicity going passwordless would have.

• App Specific Passwordless Login - I use a password manager. I like the password manager, but Microsoft now requires me to use the Microsoft Authenticator to login, adding to the myriad of apps I need to manage my passwords. If every company did it this way, have we really solved passwords or just pushed the complication back to the user with a myriad of apps we now have to remember? Don’t get me started if I have to re-verify with every new device in every authenticator app each company creates.

How do I change my account to passwordless?

Microsoft has required all new accounts to go passwordless. Good for the community of new accounts being created.

How do you do it? Well it’s probably the least painful method of setting up passwords or factors I’ve been involved with.

You can follow the steps here to set up passwordless login. Do it this way, Microsoft’s instructions miss some important steps that I think ZDNet successfully covers.

The Future of Passwords

Yes, the future of passwords are dying. It’s good riddance too. Requesting people to remember a string of letters and numbers was never a good thing.

Notably, using a strong password and maintaining good password hygiene (like using a password manager) already solves some of the problem passwordless is trying to solve for, like preventing brute force attacks. But we have to solve for the large percentage of users that still use “password123” for their password. Thats habits security experts can’t solve for without changing methodologies.

Because the industry is moving towards simplicity for the user (which is a good thing) we must consider other attack vectors that users now need to be aware of.

Instead of watching for a phishing email that may be able to weasel your password out of you, you now need to be on the lookout for polymorphic browser extensions that may be problematic for your business or personal accounts as a potential attack vector.

Simple login methods breed simple attack vectors.

Complex login methods increase the pressure on app developers and security experts to ensure their technology is secure.

Its a good thing when you have a strong core of security experts monitoring and improving the companies frictionless security methods. Its another when the team of security experts only has enough time to react to events, rather than being proactive in reducing threat actors ability to enter into user accounts. When security improvements are considered a “cost center” or “an IT problem” with little impact on bottom line, companies will gladly push security issues to the customer, while still underfunding SOCs in the hope they can avoid any security incident by sheer will and good luck.