When we think about account security, we tend to consider passwords a given. As cybersecurity technologies have advanced, however, passwords have become less and less viable as a primary protection method.
Today, passwords often pose more risk than protection because they are a single point of failure against intrusion. This is why phishing has become so prevalent in recent years, since it can circumvent all other protections. In most cases, it won’t matter how strong your firewall is if your password is compromised: it’s game over.
Because of this, passwords can have a profoundly limiting effect on the level of control administrators have in an IT environment. This control is instead passed on to individual users within the organization who are responsible for protecting their credentials. Should they fall for a phishing scam, for example, any other IT defense is rendered useless. While two-factor authentication1 can protect against credential theft, such a powerful tool shouldn’t merely be a failsafe.
In that sense, passwords can really be seen as the weakest link of cyber security that may have overstayed their welcome in our everyday lives. Today, there are more foolproof ways to authenticate into accounts and block out those unauthorized.
The ubiquity of biometric scanning is a major step forward in protecting our personal information in this way. Windows Hello, for example, is one such system that can more directly tie the identity of a user to an account by limiting the means to access an account to a person’s body. Obviously, a fingerprint or an iris cannot be replicated or guessed as easily as a password by many orders of magnitude.
A quick look at Microsoft’s roadmap for Microsoft 365 shows that the company will soon be implementing Windows Hello-style logins that exclude passwords. Rather than users relying on a single string of characters for account protection, the service will shift to a combination of biometrics and two-factor authentication.
What will this look like?
The new, password-free authentication experience will be similar to using an MFA solution with Office 365. When a user inputs their username, an access request will be sent to their designated device. To confirm the request a user will scan their fingerprint, after which they will be granted account access.
This process will occur within Microsoft’s Authenticator app for mobile devices. Once released, any business that uses Azure Active Directory will see this application set as the default account access method.
What is Microsoft Authenticator?
Authenticator is a mobile application designed for speeding up the user verification process. As it currently stands, when a user logs into their account with a password the Authenticator app will request verification: Allow or Block the login? It is only after a user has verified that the login will fully process and the user can begin accessing their data.
To support Authenticator as a single factor access method, however, the process will also incorporate biometrics to secure against bad actors. Now, rather than confirming or denying the login with a simple yes/no response, users will scan either their face, irises or fingerprint to confirm the action.
Who has my fingerprints?!
It should be noted that as with Windows Hello and biometric scanning, the details of ones own fingerprint and/or facial features are only stored locally within the device they are used to protect. In essence, this biometric information can truly only be accessed by the owner of the device.
This will prevent accounts from being compromised in the event of device theft, and essentially adds another factor two the authentication process. In order to access accounts, a user requires:
- User’s device
- User’s “bio-signature”
- Phone’s location is within the expected areas (IP addresses and geography)
So, unless kidnapping is involved, hackers are not likely to break into accounts by stealing credentials or devices. Overall, this move presents an exciting opportunity to change the way we think about security, and shift the standard of protection users come to expect. With passwords out of the picture, one of the most common methods of credential harvesting becomes irrelevant and obsolete for Microsoft 365, making the platform a great choice for enterprises prioritizing security.