Microsoft promises to ease the pains of going passwordless
Stephen Shankland | CNET.Com
Troy Warren for Hometown Hall
Microsoft is updating its widely used cloud computing technology to make it easier for millions of us to dump our passwords.
The tech giant is making passwordless login a standard feature for Azure Active Directory, a cloud-based service customers can use to handle their employees’ login chores, the company said at its Ignite conference on Tuesday. The three-day conference, held online this year because of the COVID-19 pandemic, is geared for IT and other tech staff who use Microsoft’s products.
In another update, Microsoft is smoothing out a potential difficulty of going passwordless with a new technology called Temporary Access Pass, which makes it easier for users to enroll in new services without generating a password. It’s a one-time, short-term login code IT managers can send users for their initial login. It’s also useful for recovering account access in the event of a problem, like losing a security key or phone used for login. It’s only available as a preview technology so far, though.
The software behemoth’s effort to move past passwords comes amid growing recognition of their limitations for authentication. We pick bad passwords, reuse them and often forget them. When stolen, hackers sell them to anyone who wants to try breaking into our accounts. One security site, Have I Been Pwned, has tallied more than 613 million stolen passwords.
That’s why security professionals are moving to augment passwords with other authentication systems such as biometrics, like Windows Hello or Apple’s Face ID, and hardware security keys like Yubico’s YubiKeys.
Standards developed by the FIDO Alliance are designed to let you dump passwords altogether. The standards are built into hardware security keys and dovetail with technology like fingerprint or face recognition. They also guard against phishing efforts to steer you to fake websites designed to harvest login information that can be used to steal your money and your identity, because FIDO login credentials only work on the genuine website to which they’re linked.
Microsoft’s efforts at going passwordless are bearing fruit. Roughly 200 million people have enabled passwordless login for Microsoft services, such as Outlook and Xbox Live, according to Joy Chik, who runs the company’s identity products. That’s up a third from the 150 million people who had enabled passwordless login as of last May.
Many of those still use passwords as a login fallback, Chik said, but starting the spring, Microsoft will let people remove their old passwords and go completely passwordless.