Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint Security //

Windows

5/3/2018
08:05 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt
50%
50%

Microsoft's 4-Step Plan for Eliminating Passwords

Microsoft is on a campaign to replace passwords with other authentication methods and it points to its Windows Hello and Authenticator app as examples of viable alternatives.

It's no secret in enterprises that end users can be the largest security threat in an organization, and that passwords often are the way hackers get into the corporate network.

In its 2017 Data Breach Investigations report, Verizon reports that 81% of hacking-related breaches occurred because of stolen or weak passwords.

Since the introduction of the Windows 10 operating system almost three years ago, Microsoft officials have been vocal in their push to rid the computing world of letters, numbers and figures in favor of other identification options, which can include two- and multi-factor authentication and biometric technologies like fingerprint and voice and face recognition.

In a blog post this week, the company upped the anti-password campaign and laid out a four-step process for moving into an era where passwords are no longer used.

"Nobody likes passwords," Karanbir Singh, principal program manager for enterprise and security at Microsoft, wrote in the blog post, adding:

They are inconvenient, insecure, and expensive. In fact, we dislike them so much that we've been busy at work trying to create a world without them -- a world without passwords. At its core, our fundamental philosophy is simple: devalue the password, and replace it with something that eradicates its use for the end user and drains its value for an attacker.

Singh acknowledge the significant role passwords have played over the past decades in the lives of PC users, adding that "to fully get rid of them, not only do we need to address all that is bad with them, we also need to acknowledge all that is good; they are familiar, portable, and can be used almost everywhere." (See SunTrust Investigation Shows Continuing Threats Posed by Insiders.)

The first of the four steps in the password-elimination process calls for creating replacement technologies that "address the shortcomings of passwords while embracing their positive attributes," he wrote.

For Microsoft, that began with the introduction of Windows Hello in Windows 10. The biometric technology enables users to log into their Windows PCs or other devices through fingerprint, facial or iris scans, which the company says is three times faster than using traditional passwords. According to Microsoft, more than 47 million users worldwide leverage Windows Hello and more than 5,000 companies are using Windows Hello for Business on more than 1 million commercial systems and devices.

A weakness in the technology is obvious in shared-PC situations, though Singh wrote that the company is working on developing portable credentials for such scenarios.

Microsoft also created its Authenticator app, a two-factor verification technology for users who want to access their Microsoft account through their Apple or Android smartphones. After getting into the smartphone via their password for the device, users can verify their identity with the app, which can either send a notification when the user signs in or can automatically generate a new verification code every 30 seconds.

In addition, Redmond has been working with the Fast Identity Online (FIDO) group and it working to bring the FIDO2 security keys to Windows Hello. The FIDO2 security keys enable users to bring their credential with them wherever they go and use it for authentication to a shared Windows 10 PC that's joined to Azure Active Directory.


The fundamentals of network security are being redefined -- don't get left in the dark by a DDoS attack! Join us in Austin from May 14-16 at the fifth-annual Big Communications Event. There's still time to register and communications service providers get in free!

Microsoft officials say the technology could help in such situations as a helpdesk, a hospital -- allowing staff to access patient records on a device -- and in the public sector, where policies might dictate that the user's credential has to be kept physically separate from the device.

The feature currently is in limited preview, Singh wrote.

In the Windows 10 April 2018 update, Microsoft introduced Windows 10 in S mode.

This lets cloud users with a Managed Service Account (MSA) or Azure AD to use their S mode-enabled Windows 10 PCs without having to type in a password. Users do this by installing the Authenticator app on their smartphone and setting it up using their MSA or Azure AD account, and then installing the Windows 10 April 2018 update with the S mode enabled. They then set up the Windows Hello account and use the Authenticator apps to sign into the account.

In addition, Microsoft earlier this year said it will use Fujitsu's PalmSecure palm vein authentication technology in Windows 10 Pro to sign into systems. (See Windows 10 Bypassing Passwords With Fujitu's PalmSecure Biometrics.)

Once the first step of finding alternatives to passwords, the next step in getting rid of them altogether is ensuring that those times when a user needs to type in a password -- such as provisioning an account, accessing applications or setting up a new device -- can work with password replacements. Enabling users and IT administrators to simulate and transition to password alternative technologies is the third step, followed by what Singh called "the final frontier -- delete passwords from the identity directory."

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-14318
PUBLISHED: 2020-12-03
A flaw was found in the way samba handled file and directory permissions. An authenticated user could use this flaw to gain access to certain file and directory information which otherwise would be unavailable to the attacker.
CVE-2020-2320
PUBLISHED: 2020-12-03
Jenkins Plugin Installation Manager Tool 2.1.3 and earlier does not verify plugin downloads.
CVE-2020-2321
PUBLISHED: 2020-12-03
A cross-site request forgery (CSRF) vulnerability in Jenkins Shelve Project Plugin 3.0 and earlier allows attackers to shelve, unshelve, or delete a project.
CVE-2020-2322
PUBLISHED: 2020-12-03
Jenkins Chaos Monkey Plugin 0.3 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to generate load and to generate memory leaks.
CVE-2020-2323
PUBLISHED: 2020-12-03
Jenkins Chaos Monkey Plugin 0.4 and earlier does not perform permission checks in an HTTP endpoint, allowing attackers with Overall/Read permission to access the Chaos Monkey page and to see the history of actions.