Tuesday, September 21, 2021 at 1:04 AM
Microsoft takes a big step toward a future where passwords are no longer required.
In a recent blog post, Microsoft announced that, starting on September 15, 2021, you will be able to completely remove your password from your Microsoft account and instead sign in to Microsoft apps and services using the Microsoft Authenticator app, Windows Hello, a security key, or a verification code sent to your phone or email address instead.
It's been a long time coming.
At first sight, this seems to be a fantastic concept, and many users will breathe a sigh of relief as they wait in anticipation for the next IT company to take the initiative. Who knows what all those who were in favor of this move were thinking: What took them so long?
Microsoft's security director, Bret Arsenault, detailed why the firm was removing passwords in a 2019 blog post. Also in 2020, Microsoft began to make several of its products, including as Yubico, HID Crescendo, TrustKey, and AuthenTrend, more open to third-party alternatives.
All of these options are much more secure and difficult to compromise, and we have been pushing for the use of a second factor in login processes for quite some time at this point.
What is the point of getting rid of passwords?
Microsoft cites two justifications for this decision:
Passwords are disliked by everyone (which I can guarantee is not true).
As a result, they are a popular target for attackers.
It is one of the reasons why no one is fond of passwords since the issue has been made worse by absurd and needless regulations, such as requiring users to choose passwords that match formulae or requiring users to change their passwords every few months. Both have been shown to be false, yet they continue to torment us. In addition, formulas limit the amount of potential passwords a user may choose from, and frequent password resets encourage users to use passwords that adhere to a predictable pattern, both of which might make guessing passwords simpler, which is the polar opposite of what we want.
I will agree that the fact that passwords may be guessed makes them a target for hackers and cybercriminals. However, I believe that the logic in this case is a little skewed. If the criminals are after my jewelry, I'm confident I can sell it at the pawn shop down the street if necessary. But isn't this simply a case of diverting their focus elsewhere? Now that I have money, I'm aiming for that as well.
When switching from passwords to biometrics, this is an issue that occurs many times. Changing my password for my fingerprints makes my fingerprints a target, which makes me a target. Is it possible to have my fingerprints replaced if I lose them? What methods will thieves devise in order to take them? And what happens when they get their hands on them? Talk about reusing the same login credentials all over the place. . .