In a recent interview with CBNC, Microsoft’s Corporate Vice President and Chief Information Officer, Bret Arsenault, signalled the corporation’s move away from passwords on their own as a means of authentication towards biometrics and a “passwordless future”.
Passwords – not enough on their own
Many of us are now used to two-factor authentication, e.g. receiving a code via text or using apps such as Google Authenticator as a more secure way of using passwords. Mr Arsenault also notes that hacking methods such as “password spraying”, where attackers attempt to access large numbers of accounts at once using some of the most commonly used passwords, are still effective and highlight the weakness of relying on passwords being used on their own. Mr Arsenault highlights how damaging this can be for businesses where a hacker can get password/employee identities and use them to gain access to a whole network. This is one of the reasons why many businesses, including Microsoft, are moving away from the whole idea of passwords.
Setting example – biometrics
Microsoft is one of the most-attacked companies in the world, and this, combined with reports of the billions of password hack incidents worldwide, have driven the company to move beyond passwords.
For example, 90% of Microsoft’s 135,000 workforce can now log into the company’s corporate network without passwords using biometric technology such as facial recognition and fingerprint scanning via apps such as ‘Windows Hello’ and the ‘Authenticator’ app.
Also uses federated cybersecurity
In addition to rejecting passwords for biometrics, Microsoft uses a federated cybersecurity model. This means that each Microsoft product has its own head of cybersecurity and that ethical hackers are actively encouraged to attack the company’s networks and products to test for flaws.
Scrapping password expiration policies
Microsoft has announced it is scrapping its password expiration policies in Windows 10, arguing that password expiration is an out of date method of data protection. Users will now effectively be forced to update their passwords every few months once the Windows 10 May 2019 has been rolled out.
Other tech companies moving away from passwords
Other tech companies moving away from passwords towards biometrics and other methods include Google, which has been testing USB key fobs which plug into customers’ computers and provide a second factor of authentication, and Cisco which acquired dual-factor authentication start-up Duo in 2018.
What does this mean for your business?
As Microsoft points out, multi-factor authentication is more secure than relying on just a password for authentication, as password spraying and credential stuffing are widely in use and are still yielding good results for hackers. As a recent National Cyber Security Centre (NCSC) survey has shown, many people still rely upon weak passwords, with ‘123456’ featuring 23 million times, making it the most widely-used password on breached accounts. There is a strong argument, therefore, for many businesses to look, as Microsoft is looking, towards more secure biometric methods of authentication and towards a “passwordless future”.
Even though biometrics has been shown to make things incredibly difficult for cybercriminals to crack it, biometrics has not proven to have been 100% successful to date. For example, a Reddit user recently claimed to have used a 3D printer to clone a fingerprint and then use that fake fingerprint to beat the in-display fingerprint reader on a Samsung Galaxy S10. Also, there was the report of the Twitter user who claimed to have fooled Nokia 9 PureView’s fingerprint scanner by using somebody else’s finger, and then just a packet of chewing gum, and of the incident back in May 2017 where a BBC reporter said that he’d been able to fool HSBC’s biometric voice recognition system by passing his brother’s voice off as his own.
There is no doubt that the move away from passwords to biometrics is now underway, but we are still in the relatively early stages.