Microsoft Is Killing Passwords

It's often said that the safest password you can have is one you don't know. Which is why so many password management programs create passwords for you that impossible for you to remember. But Microsoft is going a step further. They are enabling password-free access to more services through their Authenticator app.

During the recent Ignite event Microsoft held in Orlando the company's CEO, Satya Nadella, said "Because one of the biggest challenges is you want to make sure that the users don't have friction, but have more security. So, this multi-factor authentication or passwordless future has to be done in a way that user adoption is at the centre of it".

I looked at Authenticator a while ago and it's a solid app that works well. When I remotely log into my Skype, Office 365 or OneDrive accounts, I never need to use a password as all the authentication is handled by the app. I suspect the experience Microsoft gained will be leveraged as they expand the Authenticator model to their enterprise cloud services.

With 50 million Facebook accounts breached over the weekend, many people are questioning why we still have passwords. Even though there are plenty of steps you can take to use strong passwords, we are creatures of habit and many people re-use passwords or use weak passwords so they can remember them.

Two-factor and multi-factor authentication are a great step forward and offer a relatively easy path for strengthening your account security. But a password-less system is possible. I noted recently that research done by Data 61, it's possible for users to be identified by how they hold their mobile devices and tap on the screen. Perhaps that research could be used for good and not evil as a way of proving user identity as it becomes a more accurate tool.

In addition to the new passwordless shift, Microsoft announced Microsoft Secure Score during Ignite. This is a tool that allow organisations assess their security environment and get recommendations that to reduce their chance of a breach.


    I'm fairly sure 50 million users were not hacked due to poor passwords. I'm not going to bother looking into this latest one, but they're usually API failures or some other server side security issue when the victims are in the millions. And that stuff happens no matter how good your own security is.

      Yep, the latest Facebook incident didn't have anything to do with passwords. It was a bug in a couple of different Facebook components (View As and Video Uploader) that meant an Access Token for a user could be generated and extracted by an attacker to allow access to that user's account. Facebook has fixed the bug and revoked all the access tokens for accounts they either know or believe were associated with this bug.

      Last edited 01/10/18 7:01 pm

      As has been the case for years now, backdoors, exploits etc etc.
      It's not the 90's anymore no one bruteforces passwords.

    So, what happens when your phone or token is stolen?
    I had this issue with reporting my stolen phone to Google last year, and every process I tried initially said, "looks like you are logging in from a new device; we'll authorise you by sending a message to your [stolen] phone".
    I cannot see how an Access Token wouldn't be easier to steal.

Join the discussion!

Trending Stories Right Now