The IT Nerd

From the “this should have happened a long time ago” department comes this  announcement from Microsoft that all new Microsoft accounts will become “passwordless by default” to secure them against password attacks such as phishing, brute force, and credential stuffing.

Although passwords have been around for centuries, we hope their reign over our online world is ending. Billions of times a day, people all over the world sign into their accounts. According to the FIDO Alliance, more than 15 billion user accounts can now sign in using passkeys instead of passwords. But we need billions more to make every sign-in passwordless. So, to observe World Passkey Day, take the leap. Start by securing at least one of your accounts—ideally as many as you can—with a passkey. Protect your digital life from unauthorized access and make signing in faster, easier, and most importantly, more secure.

Darren James, a Senior Product Manager at Specops Software had this comment:

“This is a good first step to help consumers become more familiar with passkeys and their usage. Passwords as we all know are still a key attack vector, but sadly we can’t just forget about passwords. Users still need to provide an email address when they sign up for their Microsoft account (Windows, Xbox and Microsoft 365 accounts), that can be used for account recovery should your passkey get lost, for example if you lose your smartphone. But what protects your email account? You guessed it — most likely a password!

“So although Microsoft won’t need to worry about your passwords being stolen from them, you will still need to make sure that any recovery methods you put in place still have a strong, unbreached password, or even better a passphrase and hopefully with a 2nd factor of authentication that isn’t something you can lose. Let’s not forget all the other accounts you have that aren’t controlled by Microsoft, work and personal. Even in this statement Microsoft themselves have said password use because of this has reduced by 20%, meaning that passwords are still in use by 80% elsewhere.”

“Right now, this is just for consumers, what about business or other professional users? Again, it’s better to take a layered approach, switching to passkeys may not suit the way your business operates, so passwords will still be part of the authentication story for some time to come. As mentioned above, making sure that passwords are unbreached, not just when you set them, but constantly checked to make sure they don’t become breached, and adding an additional, low friction MFA layer wherever they are used will be the best approach.”

Chris Hauk, Consumer Privacy Champion at Pixel Privacy offers this comment:

“I applaud any effort to make this a passwordless online society. However, while biometric authentication from fingerprints or face scanners definitely make logins more secure, I am concerned that users who choose to use a PIN will reuse the PIN across multiple sites (as other sites move to passwordless login) making PIN reuse as bad as password reuse.”

Roger Grimes, Data-Driven Defense Evangelist at KnowBe4 adds this:

“I think this is an encouraging decision by Microsoft, long overdue. My personal O365 account is under heavy password guessing attacks by hackers and bots around the world. It’s scary to see how many times hackers are trying to guess my password…and to be honest, I’m more than a little shocked that Microsoft was not proactively warning me about it. I got a warning about “unusual activity” on my O365 account when I was logging in from Calgary, Canada, where I was visiting for a business conference. Microsoft asked me to review that activity, and when I went to my admin console to review that legitimate login, I saw hundreds of other recent password guesses against my account from all over the world. It was shocking. I wondered why Microsoft was not warning me about it, even though I use strong passwords. It must be because what’s going on to my account is so normal and routine that it doesn’t meet the criteria of warning me. I updated my O365 password to an even stronger one even though I was not breached. Microsoft did automatically offer me a passkey version as well, and that’s good, but FIDO passkeys, as great as they are (compared to passwords) are still not well-managed at the enterprise level.” 

“FIDO needs to get enterprise and cross-platform management figured out better…which they are working on. But if it isn’t done soon and well, managing your FIDO passkeys could be as big as a problem as managing your passwords. But still, I applaud what FIDO created and passkeys are more secure than passwords. I would also like to see Microsoft (and Google and every other vendor) more strongly push phishing-resistant forms of MFA and authentication. FIDO passkeys are phishing-resistant, which is exactly why I love them and FIDO. But Microsoft (and Google, and Duo, and most other vendors) still push very phishable forms of authentication that are barely any better than the passwords they were designed to replace. Microsoft allows admins to require phishing-resistant forms of MFA, but doesn’t require them to. And I get it, 90% of the world uses phishable forms of MFA and moving them to phishing-resistant forms of MFA and authentication isn’t easy. Customers are resistant. Still, a customer using or going to a phishable form of MFA or authentication is not ideal. It’s a lot of work for a false sense of security. I wish Microsoft (and Google, and Duo, and other vendors) more strongly advocated for and pushed phishing-resistant forms of authentication. We are years past when we should have already done so. The MFA industry, in general, has let customers down by allowing them to select and use phishable forms of MFA and authentication, especially when there are many phishing-resistant forms.”

Now I have been a major advocate of passwordless all the things for some time now because you can’t phish, sniff or steal what doesn’t exist. I am in the midst of converting all of my passwords to some form of passwordless authentication where possible. The key words here are “where possible” because not everyone supports this yet. Thus I would urge banks, eCommerce, anyone to jump onto this train as soon as possible. And I would say that organizations should do the same as well. Because this is one of those things that will make the world a safer place.