Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:00 PM
Connect Directly

Microsoft Identity VP Shares How and Why to Ditch Passwords

Passwords are on their way out, says Joy Chik, who offers guidance for businesses hoping to shift away from them.

As the security industry acknowledges World Password Day, more experts wonder how our lives would look without them. New forms of authentication are catching up, at home and at work, giving people a better sense of how insecure and costly passwords are.

Cybercriminals don't need advanced techniques when they can bet on human behavior. In its "2019 State of Password and Authentication Security Behaviors Report," the Ponemon Institute found 51% of 1,761 IT and IT security pros reused an average of five total passwords across both business and personal accounts. Nearly 70% admitted to sharing their passwords with colleagues.

It's a dangerous habit. After all, the complexity of a password doesn't matter if it falls into the wrong hands, says Joy Chick, corporate vice president of identity at Microsoft. "If they get hold of one password, they know they can use it [to] pry open more of our digital lives," she wrote in a blog post. "A single compromised password, then, can create a chain reaction of liability."

On average, one in every 250 corporate accounts is compromised each month. The expense of passwords grows as companies adopt more business applications. Now companies dedicate 30% to 60% of their support desk calls to resetting passwords.

"Password reset is one of the highest support costs, especially in enterprise customers," Chik tells Dark Reading.

Consumers have grown more wary of cybercrime and are becoming aware of authentication's role in protecting their information.

"We all understand the need to have second-factor authentication in addition to passwords," she explains. "Even though that is understood as more secure, the challenge is users have a hard time dealing with multiple passwords for multiple services." A second factor, on top of password management, becomes overwhelming.

The primary reason multifactor authentication (MFA) has been slow to catch on is user friction, she says, and it's a struggle that organizations of all sizes are trying to work through. Adding a second factor on top of requiring a password could also increase support costs as businesses deploy new authentication policies.

As more people learn about and adopt passwordless authentication, they seem to prefer it. A Visa survey published earlier this year found 68% of US shoppers had left an online purchase because they forgot a password, had trouble logging in, or experienced issues getting a one-time password. More than half (53%) of credit-card holders who responded said they would switch banks if their current provider didn't have biometric authentication options. Two-thirds viewed these options as easier and faster than traditional passwords, researchers found. 

Employees are catching on to the passwordless trend.

"We have reached over 150 million unique users on a monthly basis using passwordless options as a way to authenticate against services and applications," says Chik of Microsoft and Azure Active Directory. It's a 50% jump in six months. Microsoft data shows the use of biometrics for work accounts is poised to double in 2010, as nearly 25% of companies already use or plan to deploy biometrics in the near future.

Microsoft's IT team adopted passwordless logins, Chik wrote, and now 90% of employees sign in sans passwords. As a result, the hard and soft costs of supporting passwords dropped 87%.

Abandoning Passwords? Factors to Consider
When considering new forms of authentication, Chik says its essential to keep a password replacement strategy in mind. She advises businesses to think through all the different factors, both primary and secondary, they plan to offer employees. If someone relies on a mobile authentication app and their device is lost or stolen, how will you replace their password so they can be productive? How will you backup data and restore it; what will be your fallback mechanisms? If an employee uses a security key, how will you ensure they are given two?

Security teams should think about their environments. Before they are provisioned with passwordless authentication, employees should go through a pilot program or proof-of-concept so they can test the technology before adopting it.

"That also reduces friction of the typical top-down IT mandate in terms of policies," Chik notes. Employees can test their options while satisfying the business requirement for stronger authentication practices.

Another important factor to consider is how the organization will remove passwords from legacy environments. Indeed, as more organizations brace themselves for a prolonged period of working from home, many are thinking about how their security practices will change.

"They need a new strategy of helping end users to be productive and have security at the same time," Chik says.

Related Content:

Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register
Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Moderator
5/14/2020 | 11:31:30 PM
In Defence of the Humble Password
Passwords have had a lot of bad press in recent years, most of which was almost certainly well-deserved. However, despite the obvious limitations, they do have considerable appeal, in that users find them extremely easy to remember, and convenient to enter. Further, unlike fingerprints, iris-scans, colonoscopies, or other intrusive identification techniques, they respect your privacy, and can be changed at will. The fact of the matter is, that passwords themselves are one hundred percent secure, as long as they only exist in our minds. What destroys their security, is when we tell them to the outside world

An article on ResearchGate, with the same title as that of this post, examines the issues with passwords, and concludes that it's not the password which is insecure - it's the way we enter it.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.