Quick: Change your password again. Make sure it has a combination of capital letters, numbers and special characters. Wait, no. Instead, come up with a long random phrase that you should be able to remember. Wait, no. Stop. Stop the madness! It’s time to kill the password.
This relic from the early days of computing has long outlived its usefulness, and certainly, its ability to keep criminals at bay. More than two-thirds of people use the same, usually not-very-strong password across dozens of different accounts. Weak passwords and stolen identities are the No. 1 source of data loss. Last year alone, 81 percent of major data breaches could be traced back to one individual’s compromised identity.
Stolen passwords are so commonplace among criminals that they can easily buy 1,000 usernames and passwords for less than $20 on the dark web – and can inflict a good amount of financial damage for such a small investment.
The standard approach to passwords – change them frequently, and make sure they include a combination of capital letters, numbers and special characters – is based on guidance issued in 2003 by the National Institute of Standards and Technology (NIST).
Bill Burr, the now-retired engineer who wrote the guideline, recently said that it hasn’t worked well. “It just drives people bananas and they don’t pick good passwords no matter what you do,” he told The Wall Street Journal.
Microsoft sees a better way forward. Through intelligence, innovation and partnerships, the company is helping to drive an industry-wide shift beyond passwords.
The underlying technologies are advanced, but the approach couldn’t be simpler: Instead of making you remember a list of passwords, Microsoft is making you the password.
“For several decades, the industry has focused on securing devices,” says Bret Arsenault, Microsoft’s corporate vice president and chief information security officer. “That model needs a makeover. Securing devices is important, but it’s not enough. We should also be focused on securing individuals. We can enhance your experience and security by letting you become the password.”
Microsoft began a major move to eliminate passwords with Windows Hello, introduced in Windows 10. Windows Hello is designed to work on any Windows 10 device with biometric sensors to verify your identity based on physical characteristics like a face or a fingerprint.
For example, the infrared camera in Microsoft Surface devices isn’t just taking your photo for facial identification, says Rob Lefferts, director of program management for Windows Enterprise and Security. “It’s actually building a 3D map of your face. It has depth and characteristics, and we use multi-spectrum analysis so we’re getting multiple images of your face from different perspectives.”
Another approach to eliminating passwords is to incorporate other objects or devices you have with you. For example, if you’ve got an iOS or Android device, you can use the Microsoft Authenticator App to sign into your Microsoft account with a PIN (personal identification number) or fingerprint as verification. Businesses will soon be able to offer employees the same, easy phone-based authentication for corporate apps and internal resources through Azure Active Directory and Microsoft 365.
These newer systems are easy to use, and that’s crucial when it comes to encouraging people to switch from a widely adopted security system, like passwords, that may be bad, but is also familiar.
“We are encouraging users to try it, and see for themselves that it is easier to use than passwords,” says Lefferts. “I think one of the fears that people have is that new technology is just going to be more complicated, and not realize that we’ve pushed to make it simpler and better.”
Already, roughly 70 percent of Windows 10 users with biometric-enabled devices are choosing Windows Hello over traditional passwords.
Getting rid of passwords is front and center for the FIDO (Fast IDentity Online) Alliance, a nonprofit consortium of industry leaders, including Microsoft, that has developed open standards for simpler, stronger authentication. Specifications and certifications from the FIDO Alliance have enabled a broad ecosystem of hardware-, mobile- and biometrics-based authenticators that can be used with many apps and websites.
More than 250 cross-industry, global leader member organizations belong to the FIDO Alliance including Intel, Google, Samsung, Qualcomm, Visa, PayPal, eBay, Bank of America, MasterCard, American Express and Verizon. Microsoft is on the alliance’s board of directors.
“We are committed to solving this problem across the industry, which is why we’re collaborating with others in the technology industry via the Fast IDentity Online Alliance,” says Arsenault. “We’ve built a blueprint for the technology, now known as FIDO 2.0, shared it, and participated in its evolution through open collaboration with others in the alliance.”
FIDO applications are already enabled on many of the top global manufacturers’ handsets, and more than 350 products are now FIDO Certified, giving enterprises and online service providers a variety of interoperable FIDO authentication solutions to choose from.
“We wanted to replace passwords, so we needed the same kind of scalability that passwords have,” says Brett McDowell, executive director of the FIDO Alliance. “You can use a password anywhere, and we needed a technology that would work not only anywhere, but eventually, everywhere. And so we knew we needed to have an open industry standard. That was the first step.”
The next step? “We had to make sure that the secrets were never shared, so we built on the ‘proof of possession’ model established in public key cryptography as the basis of the FIDO security model,” McDowell says.
The private key stays on your personal device; “it is never shared over the internet, it is never put in a database,” McDowell says. “Instead of a password being stored on the server, only the public key for that account is ever shared with the online application so it can be used to verify what is called a ‘cryptographic signature’ from the user’s device during future authentication challenges.” This process confirms “proof of possession” of the private key without ever sharing the private key itself, he says, “thus ending phishing for credentials and/or reusing stolen credentials from a data breach.”
“You’re using a cryptographic credential bound to a device, unlocked by an on-device biometric challenge,” McDowell says. “And that is exactly how Microsoft’s Windows Hello system works.”
While Windows Hello and FIDO are key to extending password-free solutions to the general public, in many ways enterprises like Microsoft have been leading the movement. By using Azure Active Directory’s built-in identity protection in concert with Windows Hello, Microsoft has been giving commercial customers a new approach to security that uses threat intelligence and machine learning to shift the focus from securing the corporate perimeter to securing individuals and their identities.
This new way of thinking enables IT to better protect data and documents, while simultaneously reducing end user friction with simpler password-free sign ins and access to corporate apps and services wherever they are.
Arsenault says much of what Microsoft has learned about what it takes to move people beyond passwords “comes from our experiences in securing Microsoft’s own 125,000 employees in more than 100 subsidiaries worldwide, who serve over a billion people worldwide every day.”
“Like any other company or household, human error and weak passwords make the easiest targets for criminals,” Arsenault says.
Today, “the majority of Microsoft employees already log in to their computers using Windows Hello for Business instead of passwords,” he says. “Very soon we expect all of our employees will be able to go completely password free.”
Microsoft has a long history of making futuristic technology available to all. Delivering password-less technology through the world’s most popular operating system and intelligent commercial software, building companion solutions for a growing range of devices, and a willingness to share learnings with the industry along the way give Microsoft a unique ability to dramatically accelerate the transition away from the No. 1 source of data theft – passwords.
Lefferts says Microsoft is committed to helping all customers live in a “password-less world.”
“It will take time for all the parties, all the important websites and all the important line-of-business applications to adopt this technology, and it will take even more time for users, customers and organizations to make the cultural shift required so that people can really live in this new world,” he says. “But we have the blueprint for accelerating the move away from passwords. The key to success is making sure that the user experience is actually easier and better than what they have with passwords today.”