Home > Categories > Identity and Access Management > Be More Secure Without Passwords: Microsoft Embraces Passwordless Authentication and FIDO2

Software Category

Identity and Access Management

Write Review

Be More Secure Without Passwords: Microsoft Embraces Passwordless Authentication and FIDO2

Microsoft is working to usher in the era of passwordless multi-factor authentication as passwordless API becomes an official W3C standard. Strong authentication using biometrics and FIDO2-compatible hardware is the better, and more secure, method of multi-factor authentication.

Complex passwords are hard to remember, even with fancy mnemonics. Enforcing password complexity and password expiry has long been regarded best practice – in theory. In practice, managing passwords has more often been a source of lost productivity, insufficient security, and poor user experience. Calls to service desks to reset passwords continue to be a significant cost overhead for IT service management.

The passwordless standard amounts to a stronger, more secure multi-factor authentication pattern. Websites and online services can leverage the passwordless trend by recognizing a registered FIDO2-compatible hardware device called an authenticator. The owner of the device creates and registers a public key credential for the website configured to log in the user with this method. The user unlocks the device using a biometric (fingerprint, iris scan, facial recognition) or PIN. The hardware device then proves the authentication credentials to a PC or mobile phone via Bluetooth, NFC, or USB.

Computer passwords were insecure to begin with. Just ask Fernando Corbató, who led the implementation of the first time-shared operating system at MIT in the mid-1960s. Overcoming the inherent insecurities associated with passwords has meant supplementing them with tokens, captchas, memorable questions, pictures, phrases, and one-time codes sent to users by SMS, email, or voicemail. Even with the advent of mobile apps replacing expensive hardware tokens, the traditional password was never abandoned.

Bill Gates predicted in 2004: “There is no doubt that over time, people are going to rely less and less on passwords. People use the same password on different systems, they write them down and they just don’t meet the challenge for anything you really want to secure.” Microsoft has prepared for the elimination or replacement of passwords with Windows Hello for Business, Microsoft Authenticator app, and Fast Identity Online (FIDO)-compatible security devices.

Our Take

Businesses should improve their security posture by adopting secure authentication technologies, including FIDO2 and WebAuthn, that do not rely on passwords. Users should be advised that passwordless biometric authentication does not imply that their biometric data, password, or PIN will be shared with a website or service provider. FIDO2-compliant authenticator hardware devices do not store a password either; they store the private key, which identifies the registered owner to the website. Passwordless authentication is different from a one-time password using hard or soft tokens. Microsoft as a technology leader has rightfully made a clear commitment to support passwordless multi-factor authentication.


Want to Know More?

Identity and Access Management (SoftwareReviews)
Password-less protection
Facing the Law: Police, Facebook, Cybersecurity, and the Most Beneficial Use of Facial Recognition Technology
FIDO Alliance and W3C Achieve Major Standards Milestone in Global Effort Towards Simpler, Stronger Authentication on the Web

Other Recent Research in Identity and Access Management

Identity and Access Management

IBM Raises Price on Software Support; Shoves Customers Toward the Cloud

IBM is changing the terms of its ubiquitous Passport Advantage agreement to remove entitled discounts on over 5,000 on-premises software products, resulting in an immediate price increase for IBM Software & Support (S&S) across its vast customer landscape.

Identity and Access Management

Bomgar & BMC Team Up to Speed Trouble-Ticket Resolution

For organizations that experience time-sensitive incidents that must be resolved in the most optimal and efficient manner, Bomgar (Beyond Trust) and BMC Software may have the solution. The two vendors have teamed up to address a reduction in the time it takes to resolve problematic tickets and assist in lessening the impact of cyber threats to which all organizations are subjected.

Identity and Access Management

Okta Partners With VMware Carbon Black, CrowdStrike, and Tanium

Okta announces its new partnerships with endpoint security vendors VMware Carbon Black, CrowdStrike, and Tanium. Integrating endpoint protection management analysis with Okta Verify’s user identity risk indicators, Okta Identity Cloud consolidates the information and creates a risk profile of the individual login attempt.

Identity and Access Management

Avatier Releases AI Chatbot to Automate Common IAM Helpdesk Requests

Avatier, an IAM vendor, has developed an innovative solution for automating mundane IAM tasks: a chatbot called Apollo. Apollo is a great example of how ANI can enable simple task automation that ultimately frees up IT staff to tackle more pressing issues.