Microsoft wants to make passwords a thing of the past and it’s a mission that begins at headquarters.
The majority of the company’s workforce has already turned their backs on using passwords, at least when it comes to logging in to their Windows PCs, according to Bret Arsenault, corporate vice president and chief information security officer at Microsoft. Instead, they are using Windows Hello for Business, which integrates with the Azure Active Directory authentication service.
Soon, the executive expects that all the company’s 125,000 employees will “go completely password free,” he stated in a Dec. 26 blog post.
Windows Hello is a biometric authentication technology that ships with Windows 10. It enables users to access their machines and compatible apps using fingerprint readers, facial recognition scanners and even iris scans. Outside of the organization, Microsoft claims that among Windows 10 users with compatible biometrics hardware, 70 percent are using Windows Hello in place of regular passwords.
Although the company claims it is a faster and enterprise-grade alternative to inputting a password, recently it was found that the technology is not completely foolproof.
German cyber-security firm SSyS announced on Dec. 18 that it had tricked Windows Hello into granting access to a Surface Pro PC with a printout. In compatible systems, the technology uses infrared sensors to detect the presence of a live user in front of the camera, but SSyS was able to circumvent the safeguard with a modified, low-resolution printout of an IR scan. A proof-of-concept video is available on YouTube.
Windows Hello isn’t Microsoft’s only weapon against passwords, however.
The company is also a member of the FIDO (Fast Identity Online) Alliance, and is working with other technology giants such as Intel and Google to wean the industry off passwords by using a USB token, smartphone or other FIDO-compliant device. In 2016, Google found that the FIDO Alliance’s Universal 2nd Factor (U2F) standard not only improves security, but also slashes login times.
In a cyber-security landscape beset by major breaches, phishing attacks and other threats, username and password pairs are increasingly becoming a detriment to data privacy and security. Oftentimes, users are their own worst enemy.
Security vendor BeyondTrust recently named apathy the number one deadly sin of privileged access management. In its survey of 474 IT professionals, the firm discovered that dangerous habits and apathetic attitudes toward password management ran rampant at enterprises.
Seventy-nine percent of respondents reported that their organization’s users share passwords with other users and 76 percent neglected to change their default passwords. Three-quarters (75 percent) said users still cling to weak, easy-to-guess passwords.
What do weak passwords look like?
Unimaginative attempts like “123456” and “password,” earned the number one and two spots on SplashData’s Worst Passwords of 2017 list, respectively (both retained their 2016 rankings). Third place went to “12345678,” followed by “qwerty” and “12345.” The company based its analysis on five million leaked passwords, mostly from the North America and Western Europe.