Quick: Change your password again. Make sure it has a combination of capital letters, numbers and special characters. Wait, no. Instead, come up with a long random phrase that you should be able to remember.
Wait, no. Stop. Stop the madness! It’s time to kill the password.
This relic from the early days of computing has long outlived its usefulness, and certainly, its ability to keep criminals at bay. More than two-thirds of people use the same, usually not-very-strong password across dozens of different accounts. Weak passwords and stolen identities are the number one source of data loss. Last year alone, 81% of major data breaches could be traced back to one individual’s compromised identity.
Stolen passwords are so commonplace among criminals that they can easily buy 1 000 usernames and passwords for less than $20 on the dark web – and can inflict a good amount of financial damage for such a small investment.
The standard approach to passwords – change them frequently, and make sure they include a combination of capital letters, numbers and special characters – is based on guidance issued in 2003 by the US’s National Institute of Standards and Technology (NIST).
Microsoft sees a better way forward. Through intelligence, innovation and partnerships, the company is helping to drive an industry-wide shift beyond passwords.
The underlying technologies are advanced, but the approach couldn’t be simpler: Instead of making you remember a list of passwords, Microsoft is making you the password.
“For several decades, the industry has focused on securing devices,” says Bret Arsenault, Microsoft’s corporate vice-president and chief information security officer. “That model needs a makeover. Securing devices is important, but it’s not enough. We should also be focused on securing individuals. We can enhance your experience and security by letting you become the password.”
Microsoft began a major move to eliminate passwords with Windows Hello, introduced in Windows 10. Windows Hello is designed to work on any Windows 10 device with biometric sensors to verify your identity based on physical characteristics like a face or a fingerprint.
For example, the infrared camera in Microsoft Surface devices isn’t just taking your photo for facial identification, says Rob Lefferts, director of program management for Windows Enterprise and Security. “It’s actually building a 3D map of your face. It has depth and characteristics, and we use multi-spectrum analysis so we’re getting multiple images of your face from different perspectives.”
Another approach to eliminating passwords is to incorporate other objects or devices you have with you. For example, if you’ve got an iOS or Android device, you can use the Microsoft Authenticator App to sign into your Microsoft account with a PIN (personal identification number) or fingerprint as verification. Businesses will soon be able to offer employees the same, easy phone-based authentication for corporate apps and internal resources through Azure Active Directory and Microsoft 365.
These newer systems are easy to use, and that’s crucial when it comes to encouraging people to switch from a widely adopted security system, like passwords, that may be bad, but is also familiar.
“We are encouraging users to try it, and see for themselves that it is easier to use than passwords,” says Lefferts. “I think one of the fears that people have is that new technology is just going to be more complicated, and not realize that we’ve pushed to make it simpler and better.”
Already, about 70% of Windows 10 users with biometric-enabled devices are choosing Windows Hello over traditional passwords.
Getting rid of passwords is front and center for the FIDO (Fast IDentity Online) Alliance, a nonprofit consortium of industry leaders, including Microsoft, that has developed open standards for simpler, stronger authentication. Specifications and certifications from the FIDO Alliance have enabled a broad ecosystem of hardware-, mobile- and biometrics-based authenticators that can be used with many apps and websites.
More than 250 cross-industry, global leader member organisations belong to the FIDO Alliance including Intel, Google, Samsung, Qualcomm, Visa, PayPal, eBay, Bank of America, MasterCard, American Express and Verizon. Microsoft is on the alliance’s board of directors.
“We are committed to solving this problem across the industry, which is why we’re collaborating with others in the technology industry via the Fast IDentity Online Alliance,” says Arsenault. “We’ve built a blueprint for the technology, now known as FIDO 2.0, shared it, and participated in its evolution through open collaboration with others in the alliance.”
FIDO applications are already enabled on many of the top global manufacturers’ handsets, and more than 350 products are now FIDO Certified, giving enterprises and online service providers a variety of interoperable FIDO authentication solutions to choose from.
“We wanted to replace passwords, so we needed the same kind of scalability that passwords have,” says Brett McDowell, executive director of the FIDO Alliance. “You can use a password anywhere, and we needed a technology that would work not only anywhere, but eventually, everywhere. And so we knew we needed to have an open industry standard. That was the first step.”
The next step? “We had to make sure that the secrets were never shared, so we built on the ‘proof of possession’ model established in public key cryptography as the basis of the FIDO security model,” McDowell says.
The private key stays on your personal device; “it is never shared over the internet, it is never put in a database,” McDowell says. “Instead of a password being stored on the server, only the public key for that account is ever shared with the online application so it can be used to verify what is called a ‘cryptographic signature’ from the user’s device during future authentication challenges.”
This process confirms “proof of possession” of the private key without ever sharing the private key itself, he says, “thus ending phishing for credentials and/or reusing stolen credentials from a data breach,” McDowell says.
“You’re using a cryptographic credential bound to a device, unlocked by an on-device biometric challenge. And that is exactly how Microsoft’s Windows Hello system works.”
While Windows Hello and FIDO are key to extending password-free solutions to the general public, in many ways enterprises like Microsoft have been leading the movement. By using Azure Active Directory’s built-in identity protection in concert with Windows Hello, Microsoft has been giving commercial customers a new approach to security that uses threat intelligence and machine learning to shift the focus from securing the corporate perimeter to securing individuals and their identities.
This new way of thinking enables IT to better protect data and documents, while simultaneously reducing end user friction with simpler password-free sign ins and access to corporate apps and services wherever they are.
Arsenault says much of what Microsoft has learned about what it takes to move people beyond passwords “comes from our experiences in securing Microsoft’s own 125 000 employees in more than 100 subsidiaries worldwide, who serve over a billion people worldwide every day.”
“Like any other company or household, human error and weak passwords make the easiest targets for criminals,” Arsenault says.
Written by Suzanne Choney