Microsoft is to offer subscribers password-free access to their accounts — it had been doing so for corporate customers since last March — and by popularizing its use, is moving closer to a future in which passwords will give way to much more efficient and secure authentication systems.
The feature requires downloading Microsoft Authenticator, which will require permissions to send notifications and a secure authentication system such as FaceID or the user’s fingerprint (or, alternatively, Windows Hello, the use of a physical security key or a verification code sent via SMS or email). After installing an authentication method, we just have to define in our account profile that we want to use it, forget our password. The option, according to the company, will be introduced over the next few weeks.
Many apps now offer such authentication methods, but Microsoft’s move means a new phase in the popularization of this type of procedure, with all that this entails.
The password and the myths surrounding its use are responsible for many organizations’ security problems. Successive attempts to make passwords more secure through procedures such as instructing users to select passwords according to certain requirements (uppercase, lowercase, numbers, special characters, squirrel noises, etc), supplying them with passwords with these requirements that they could not change, or asking them to change them, or asking them to change them from time to time, have hindered people trying to gain irregular access to the systems, or even generated additional problems when, unable to memorize their passwords, we write them down on a post-it note on the screen. On other occasions, passwords were captured through more or less sophisticated phishing schemes that forced us to be wary of everything.
Ultimately, reducing the security culture to being able to memorize a password, which, to make matters worse, people reused across numerous services, prevented many of us from understanding the importance of the question, and from making mistakes that systematically made us more vulnerable. The use of password managers improved things and at least took many users to the next level, that of knowing by heart only the master password they used for the password manager, but in practice, they seemed overly complicated to many people.
Systems based on authenticators or second factors are much more secure, are simple to use and, although they take a little longer than a password, have far more advantages. The fact that Microsoft has decided to offer them as an option is definitely good news for security. Other companies like Google and Apple are working on similar schemes, which means that the password, hopefully in the not-too-distant future, will be consigned to history. Now is a good time to consider whether our company offers password-based services, and how advisable it might be to join this trend and stop forcing our users to keep memorizing strange words with 1Mp0$$iBL3 spellings, which are of little use…