Microsoft is working to usher in the era of passwordless multi-factor authentication as passwordless API becomes an official W3C standard. Strong authentication using biometrics and FIDO2-compatible hardware is the better, and more secure, method of multi-factor authentication.
Complex passwords are hard to remember, even with fancy mnemonics. Enforcing password complexity and password expiry has long been regarded best practice – in theory. In practice, managing passwords has more often been a source of lost productivity, insufficient security, and poor user experience. Calls to service desks to reset passwords continue to be a significant cost overhead for IT service management.
The passwordless standard amounts to a stronger, more secure multi-factor authentication pattern. Websites and online services can leverage the passwordless trend by recognizing a registered FIDO2-compatible hardware device called an authenticator. The owner of the device creates and registers a public key credential for the website configured to log in the user with this method. The user unlocks the device using a biometric (fingerprint, iris scan, facial recognition) or PIN. The hardware device then proves the authentication credentials to a PC or mobile phone via Bluetooth, NFC, or USB.
Computer passwords were insecure to begin with. Just ask Fernando Corbató, who led the implementation of the first time-shared operating system at MIT in the mid-1960s. Overcoming the inherent insecurities associated with passwords has meant supplementing them with tokens, captchas, memorable questions, pictures, phrases, and one-time codes sent to users by SMS, email, or voicemail. Even with the advent of mobile apps replacing expensive hardware tokens, the traditional password was never abandoned.
Bill Gates predicted in 2004: “There is no doubt that over time, people are going to rely less and less on passwords. People use the same password on different systems, they write them down and they just don’t meet the challenge for anything you really want to secure.” Microsoft has prepared for the elimination or replacement of passwords with Windows Hello for Business, Microsoft Authenticator app, and Fast Identity Online (FIDO)-compatible security devices.
Businesses should improve their security posture by adopting secure authentication technologies, including FIDO2 and WebAuthn, that do not rely on passwords. Users should be advised that passwordless biometric authentication does not imply that their biometric data, password, or PIN will be shared with a website or service provider. FIDO2-compliant authenticator hardware devices do not store a password either; they store the private key, which identifies the registered owner to the website. Passwordless authentication is different from a one-time password using hard or soft tokens. Microsoft as a technology leader has rightfully made a clear commitment to support passwordless multi-factor authentication.
Identity and Access Management (SoftwareReviews)
Facing the Law: Police, Facebook, Cybersecurity, and the Most Beneficial Use of Facial Recognition Technology
FIDO Alliance and W3C Achieve Major Standards Milestone in Global Effort Towards Simpler, Stronger Authentication on the Web