BitDepthFeatured

Microsoft pushes passwordless technology

3 Mins read
  • Passwords are hard to remember
  • Microsoft hopes to improve access authentication

Above: Illustration by krulua/123RF

BitDepth#1321 for September 27, 2021

“Nobody likes passwords,” wrote Vasu Jakkal in a blog post released on September 15.

Vasu Jakkal

“They’re inconvenient. They’re a prime target for attacks. Yet for years they’ve been the most important layer of security for everything in our digital lives— from email to bank accounts, shopping carts to video games.”

Jakkal would know. She’s the corporate vice president at Microsoft with responsibility for Security, Compliance & Identity.

“We are expected to create complex and unique passwords, remember them and change them frequently, but nobody likes doing that either,” Jakkal wrote.

“In a recent Microsoft Twitter poll, one in five people reported they would rather accidently ‘reply all’— which can be monumentally embarrassing— than reset a password.”

According to Bret Arsenault, Microsoft’s chief information security officer, “Hackers don’t break in, they log in.”

And Arsenault would also know about that, because Microsoft is still grappling with the Nobelium attack on its Exchange servers, which affected the Solarwinds company and led to rolling breaches since 2020 before it was patched.

A Microsoft Power Apps breach was identified in May, which exposed 38 million health records of personally identifiable information across 47 organisations.

The flaw was patched in June.

Good security authentication practice suggests that two factors are best for securing access. That’s distilled into the credo, something you know and something you have.

One less than clunky example of this is the Entrust app used by RBC to secure access to banking accounts.

To log into the system, you must use your user ID, a password and a random number generated by the Entrust app that’s only active for 30 seconds. It takes a bit of nimble finger tapping on a mobile device, but it works once you get the muscle memory down.

Microsoft’s response is a new Authenticator app for Android and iOS which it made available to business customers in March.

The app does what it promises after you’ve set it up on your mobile device.

Logging into a Microsoft account on the desktop offers up a number and sends a notification to the app.

A screen with three possible numbers appears there, and touching the right one authenticates for entry.

As a system, it works pretty seamlessly and the app itself is essentially invisible, but unfortunately there are limitations.

Microsoft Authenticator. At left, desktop request, at right, mobile response.

Microsoft’s authenticator doesn’t work with old versions of Office for Windows or Mac, mail services using IMAP or POP, and any Windows version earlier than version 10.

Microsoft isn’t the only game in town for securing systems and devices using another device, nor is it alone in embracing the challenges that current password systems pose for users.

For many users, the constant requirement to unlock phones, tablets and laptops leads to very basic passwords being used to access them.

For others, alternative systems, such as fingerprint readers and facial recognition don’t work properly on the device they own, so they end up falling back on passwords that are too simple.

Apple’s Watch system unlocks devices through Bluetooth proximity and the fingerprint and facial recognition systems on their mobile devices works well.
But there’s still a significant gap between company-mandated security and personal tolerance when it comes to password protection, and let’s just admit it, multi-factor authentication can be painful the way its usually implemented.

Some users rely on password lockers, such as KeePass. Apple has bundled a password locker, Keychain Access, on its Macs for decades, but few users notice or make use of it.

For passwords, which remain a pervasive presence in our lives, I favour long, run-on sentences leavened by capitals and punctuation that are blindingly obvious to me but gibberish to anyone else.

So ‘iloveplayinggolFAtsunset’ is much better than relying on the default ‘password123’ that some people still leave active on their systems.

Start with improving your password game and then consider alternative authentication measures that lighten the password entry burden.

🤞 Get connected!

A once weekly email notification of new stories on TechNewsTT. Just that. No spam.

Possible UI Glitch. Click top right corner to dismiss 👉

Get Connected!

A once weekly email notification of new stories on TechNewsTT.

Just that. No spam.

Related posts
Press Releases

Samsung extends Knox security to its home appliances

2 Mins read
Knox Matrix is a security solution that comprehensively protects connected devices and networks using private blockchain technology.
BitDepthFeatured

Practical steps to reducing cybersecurity risks

4 Mins read
The process, to be effective, must be ongoing and managed to ensure that vendors meet required standards.
BitDepthFeatured

The consequences of careless code

5 Mins read
The cruel reality of Crowdstrike is that it wasn’t a cybersecurity attack. It was a quality of service lapse and the incident puts IT professionals in an odd space.
Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
×
FeaturedTechnology Reporting

Windows 11 puts an emphasis on function and security in a Covid19 world

0
Share your perspective in the comments!x
()
x