Almost every cyberattack report mentions user credentials and passwords being stolen and sold on dark web forums. Be it ransomware, malware or any phishing attack, the core of all these attacks is stolen passwords. Microsoft, with one of the largest user bases, has announced that you will not need passwords anymore to access your Microsoft accounts.
See also: Dump the Password! 80% CISOs say They are Not an Effective Means of Data Protection
Microsoft had rolled out this initiative earlier in March 2021 as a pilot, for its enterprise users to adopt alternative secured authentication methods and discontinue the usage of passwords.
It recommends alternative authentication options such as:
- Security keys
- Verification codes sent via email or SMS
- The Windows Hello biometrics system
- Or the Microsoft Authenticator mobile app.
This feature of not having to use passwords has been long anticipated, a widely requested ask by Microsoft’s enterprise customers. With brute-force attacks becoming the order of the day, and billions of user data and passwords being shared online, system administrators and security teams have been grappling with improving the security hygiene of their organizations.
Vasu Jakkal Corporate Vice President, Security, Compliance and Identity, Microsoft, shared that by going “passwordless” with Microsoft, consumers can have more convenient and secure access to their favorite apps and services like Outlook, OneDrive, Family Safety and more.
Use of Windows Hello, the Microsoft Authenticator app, SMS or email codes, and physical security keys provide a more secure and convenient sign-in method.
A YouGov survey commissioned by Microsoft found that 30% of people preferred to stop using an account or service rather than go through the process of a password reset. In the same survey, it was disclosed that the inability to remember a password is the number one password problem for one-third of the respondents.
Password Conundrum
As per The Record, Microsoft is currently seeing a whopping 579 password attacks every second, amounting to 18 billion every year. Jakkal blamed the situation on today’s authentication conundrum where users struggle with remembering account passwords and for a matter of convenience use and reuse the same password for multiple accounts or use simple passwords like pet’s name, birthdays, family names or 123456 — which are easy to remember and equally easy to guess by attackers.
Bret Arsenault, Chief Information Security Officer (CISO) at Microsoft says, “Hackers don’t break-in, they log in.”
The password problem has been attributed primarily to human nature. As passwords get more complex to mitigate the exposure risk, they are also becoming more challenging to be memorized and managed across platforms. This problem also has direct ramifications on the business as users prefer to ditch the account completely instead of doing a password reset task which translates into customer loss. Most users continue to rely on simple combinations that are easy to remember and common across accounts. Hackers also find it easier to hack these combinations and sell the exploits on the dark web.
Passwords have been the most common and important layer of security and authentication for years for digital life. The Microsoft announcement is a welcome change but how fast and error-free will the adoption be, is yet to be ascertained. It would be interesting to watch how the threat actors will react to this feature and find a workaround to continue leveraging the vulnerabilities and what will they put up for ransomware?
How to Go Passwordless
Quick steps:
- Ensure you have the Microsoft Authenticator app installed and linked to your personal Microsoft account.
- Next, visit your Microsoft account, sign in, and choose Advanced Security Options.
- Under Additional Security Options, you’ll see Passwordless Account. Select Turn on.
- Follow the on-screen prompts, and then approve the notification from your Authenticator app.
- Once you’ve approved, you’re free from your password!
And, in case you prefer to use a password, you can always add it back to your account.
Learn more about enabling passwordless sign-in with the Microsoft Authenticator app here.