We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 - 28. Join AI and data leaders for insightful talks and exciting networking opportunities. Register today!
Just over two weeks ago, Microsoft, Apple and Google unveiled plans to expand support for the common passwordless sign-in standard created by the FIDO alliance and to offer passwordless login options for billions of users, so they can login with their fingerprint, face or device PIN.
Since the announcement, there’s been a lot of speculation around how the world of passwordless authentication will compare to the era of password-based authentication, with some commentators suggesting that FIDO is looking at “killing passwords entirely.”
For security teams, the idea of eliminating passwords is an attractive prospect, as it prevents cybercriminals from being able to harvest passwords and login credentials, and reduces the risk of data breaches caused by phishing scams, brute force hacks and business email compromise.
VentureBeat recently spoke to Vasu Jakkal, CVP security, compliance, identity and privacy at Microsoft, who’s leading the organization’s push toward passwordless authentication options as part of the FIDO alliance, to find out what a passwordless future means for enterprise security, and how threat actors are likely to adapt.
Below is an edited transcript of the interview.
VentureBeat: Why is the FIDO alliance moving away from password-based security?
Jakkal: Weak passwords are the entry point for most attacks across enterprise consumer accounts. Last year, Microsoft found there were a whopping 579 password attacks every second. In just one year, this number has grown to 921 per second — that’s 79.3 million attacks per day.
In a survey we commissioned recently, nearly one-third of people said they completely stopped using an account or service rather than dealing with a lost password.
They are insecure and burdensome for both individuals and businesses. That’s why we encourage people to go passwordless on their Microsoft account and use passwordless login wherever possible.
VentureBeat: What are the main advantages of passwordless authentication solutions?
Jakkal: Passwordless authentication solutions provide customers with a more secure, simple and fast way to authenticate their accounts. Rather than keeping attackers out, weak passwords often provide a way in. Using and reusing simple passwords across different accounts might make our online life easier, but it also leaves the door open.
Attackers regularly scroll social media accounts looking for birth dates, vacation spots, pet names and other personal information they know people use to create easy-to-remember passwords.
Our survey found that 68% of people use the same password for different accounts, which puts you at even more risk.
For example, once a password and email combination has been compromised, it’s often sold on the dark web for use in additional attacks. As my friend Bret Arsenault, our chief information security officer here at Microsoft, likes to say, “Hackers don’t break in, they log in.”
VentureBeat: Do organizations that go passwordless still need to worry about business email compromise and phishing threats?
Jakkal: The passwordless methods that Microsoft recommends, such as Windows Hello and other FIDO credentials, are built to be phishing resistant. They use cryptography to exchange keys and are bound to the hardware. This reduces the chance of a BEC and phishing threats to nearly nothing.
You can learn more about the phishability of different methods from our security researchers here: All your creds are belong to us! — Microsoft Tech Community
VentureBeat: How do you anticipate that cybercriminals will change their tactics as adoption of passwordless solutions grows?
Jakkal: Password-only accounts remain a lucrative target for cybercriminals — it’s still the cheapest attack at $0.97 per 1,000, as reported in our Microsoft Digital Defense Report. We expect password attacks to continue for some time, but we are always looking ahead where the next set of attacks could surface.
One area that we have been researching since early in our passwordless journey is the risk of session token theft. We released new detections last fall to help protect against token theft.
We are also actively working with standards bodies to develop security protocols to protect user sessions after they’ve logged in to minimize the risk of compromise. Microsoft’s Pam Dingle will be speaking on this topic at the RSA Conference.
VentureBeat: Are there any security risks presented by passwordless solutions that organizations should be aware of?
Jakkal: From a security perspective, Windows Hello, FIDO credentials, and Smartcards are incredibly hard to crack. That said, we do recommend customers use a zero-trust mentality of “assume breach” because you can never guarantee 100% security.
A couple areas that some organizations should be aware of are issuance and recovery of passwordless credentials.
Temporary access passes are one of the solutions we’ve developed to help with the initial setup or recovery of an account so customers can stay safe and passwordless at all stages.
VentureBeat: Is there any advice you have for security teams who want to start implementing passwordless authentication in their organization? (Any tips on deployment/managing the security of a passwordless environment?)
Jakkal: Yes, check out our helpful resources in this blog, including the deployment guide and a session with our CISO and CO on how we implemented passwordless at Microsoft: 3 key resources to accelerate your passwordless journey — Microsoft Security Blog. You can also see our latest customer stories here.
VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn more about membership.
