Earlier this week, Microsoft announced that they will be pushing forward with its vision for a password-less future. Anyone following the company's moves, and indeed those of a number of other companies, can see that the use of a username/password combination to prove identity has been on shaky ground for some time. The theft of large numbers of user credentials through a number of major breaches over the last five years has almost completely undermined the use of these credentials. But what's next?
Microsoft's push towards password-less access to their services started with the introduction of Windows Hello, which is part of Windows 10. This allows users to log into Windows by using either a biometric tool such as fingerprint or facial recognition, or a PIN code. It's a strong step forward. And we've see similar technology deployed on smartphones and tablets with Android and iOS devices supporting various biometric log-in mechanisms that are tied in with device encryption.
Alongside this, there's also Microsoft's Authenticator which provides authentication without a password, although it does still depend on a username. I've been suing it for some time and it works reliably.
One of the primary vehicles used by bad guys to access our systems is stealing log-in credentials in order to impersonate real users. All the security processes and tools in the world are circumvented when someone has your username and password. That's where two-factor authentication (2FA) comes into play. 2FA works by adding another authentication challenge to the equation. It's not just about what you know - your password, it's also about something you have. That's where the authenticator apps from Microsoft and Google come into play.
Microsoft has taken things a step further by allowing users to sign on to and Microsoft service using a standards-based FIDO2 device.
FIDO offers a set of standards that can be used by hardware and software makers to provide robust authentication services. Microsoft's adoption of FIDO2, the most recent set of standards, means you can connect to a service without a user name or password using hardware.
One of the most popular tools for doing this hardware-based authentication comes from Yubico. Its USB key works by using both the hardware device and your fingerprint. When you want to access a service, you plug the device in, touch the sensor and you'll be connected. There's no need to enter a username or password each time you want to use a device.
The purpose of a username and password combination is to do one thing - prove identity. And the fact so many passwords are compromised, users are notoriously bad at choosing strong passwords and password rules are too complex has created a perfect storm for identity thieves.
What we are really looking at is an evolution of proving digital identity. By using factors that are hard to steal or duplicate, such as specific hardware devices you own, like the Yubikey, and data that is hard to duplicate, such as a fingerprint, the bar is being raised. It doesn't mean user credential compromise is impossible for criminals. But it does make it much harder.
Cyber criminals are in their business for the money in most cases. That means they think in simple business terms. If it takes too long to breach a target, it's not worth the effort most of the time. So they will move on. The old story abut two people being chased by a bear stacks up. It's not about outrunning the bear - it's about outrunning the person next to you.
The "what's next" is proving your identity without resorting to tools created in the 1960s. Modern technology employing multiple identification factors based around what we have, like a hardware key or a specific smartphone, along with other information such as a facial recognition tool or fingerprint will become the standard. Some banks already employ hardware tokens for log-ins and two-factor authentication fo many transactions is the norm. We can expect to see those measure and other new ones appear over the coming months.