- Security TWENTY
- Women in Security
You can now remove the password from your Microsoft account. Use the Microsoft Authenticator app, Windows Hello, a security key, or a verification code sent to your phone or email to sign in to Microsoft apps and services, such as Outlook, OneDrive, and Family Safety.
Vasu Jakkal, Corporate Vice President, Security, Compliance and Identity at the tech firm, blogged that passwords have been inconvenient and a prime target for hackers; but they have been a layer of security for everything digital, such as email and online shopping and banking accounts.
For more on how to do away with passwords and use other authentication, visit the Microsoft website.
Steve Bradford, Senior Vice President EMEA at the cloud identity security product company SailPoint says that Microsoft’s decision to abolish passwords is raising a few eyebrows; however, passwords can be an Achilles heel for those who do use them. “While they can make it slightly more difficult for someone to gain access into something – it’s not impossible. Whether it’s a pet name, a favourite holiday destination or even a random word, all too often they are easily guessed, stolen, hacked and put on the Dark Web for sale. It’s human nature to make them memorable, but this doesn’t bode well when it comes to keeping them secure.
“Microsoft is making security-forward steps when it comes to removing passwords and instead focusing on authentication apps. User identity is integral to security and creating a zero-trust model. The next step would be to look at the concept of dissolving privileges – meaning that those who have not accessed a system for more than 30 days for example, would totally lose access, or if an employee is on holiday, the access controls would change. This helps to ensure that only the right people have access to the right information at the right time, which is far more important.”
Lili Curtis, threat intelligence analyst at Talion, says: “With password requirements becoming more complex, users often recycle old passwords or reuse passwords on multiple websites. This makes passwords a vulnerability hackers can target via brute force attacks or the use of password duplication across multiple accounts.
“With companies still storing passwords in readable formats and the popularity of adversaries posting compromised passwords online, users security is continually at risk. Passwordless accounts could an extremely effective way forward in the battle against cyber criminals and protecting our networks.
“In June, the infamous ransomware attack against Colonial Pipeline was the result of the theft and use of one single password, that had been reused on a previously compromised website.
“The added protection 2FA provides has increased the difficulty for hackers attempting to infiltrate a network, however it is important to remind ourselves that this is still not a completely fool proof method. Hackers have previously been able to contact a victim’s carrier and swap the sim card to a new one to hijack incoming 2FA authentication codes. Android users are also at risk of downloading a malicious copy of an authentication app that copies the codes and forwards them onto the hackers.
“The bottom line is, that 2FA is currently the safest option when keeping data and accounts safe. Whilst any password measures have their vulnerabilities, making it harder for an attacker by having passwordless accounts may be the step towards reducing the high risks of phasing and password attacks.”