Microsoft plans to replace passwords in Windows with other means of authentication, but security experts worn this approach will not work…
Microsoft is about to go passwordless for its Windows products and services. The software giant states that it is making the change because the old credentialing combination of a username and password is not only antiquated but is wide open to compromise from various threat vectors. This fact is widely known in the cyber security industry and it’s why experts in the field are pushing heavily for more secure alternatives, like two-factor authentication or 2FA. But, Microsoft is going about the process all wrong, security analysts warn.
Microsoft’s Plans to Replace Passwords will Fail, Security Experts Warn
Microsoft plans to replace passwords with other forms of user authentication, either
biometrics, hardware tokens and security keys, or an email with a one-time password (OTP). However, this methodology will not suffice, because swapping out passwords for any one of these will not provide enough security, or even more. This is due to the fact that all of these alternatives as stand-alones, like Microsoft, plans to use them, have already been exploited by security researchers and threat actors alike.
In other words, simply placing these other credentialing methods in place of passwords will not provide any extra layer of protection, which is why two-factor authentication is preferred. In fact, Google is on schedule to roll out 2FA on December 14th for all consumer user accounts. Anyone with a Google account not only need their password, but they will also need their phone at the ready to authenticate their identity.
“Microsoft could have truly solved the digital identify validation problem by making MFA mandatory and easy to use in Windows,” says Corey Nachreiner, CSO at WatchGuard Technologies.