James Thew - Fotolia
The security industry has long recognised that using passwords to access accounts provides little or no protection, and Microsoft is finally making passwordless sign-in available on Windows 10 devices.
The next major update of the Windows operating system in 2020 will allow users to enable passwordless sign-in and choose whether to use Windows Hello face authentication, fingerprints, or a personal identification number (PIN) to access Microsoft accounts.
“Enabling passwordless sign-in will switch all Microsoft accounts on your Windows 10 device to modern authentication,” the company said in a blog post.
Microsoft argues that while a PIN may seem very much like a password, it is much more secure. Passwords are symmetric keys that have to be stored on a server, and if that server is compromised, so is the password. A PIN, in contrast, is “user-provided entropy” (randomness) that is stored on a device in a trusted platform module (TPM), and therefore immune to compromise in the same way as passwords. A PIN is also useless without the user device because it will not work without the associated TPM.
Enabling passwordless sign-in on Windows 10 devices is the latest initiative by Microsoft in an industry-wide effort to encourage the use of two-factor authentication and to end the world’s reliance on passwords that are easily compromised and typically re-used across multiple accounts, enabling credential stuffing attacks.
Read more about passwords and security
- Potentially the biggest personal data breach to date from thousands of sources, some possibly breached as far back as 2008, illustrates the deeply flawed nature of password-based authentication.
- A reported breach of Citrix, which has potentially exposed data at hundreds of thousands of customer organisations, once again highlights the need for an alternative to passwords.
- Password spraying isn’t a sophisticated attack, but don’t discount the attackers if you detect one.
Microsoft has already given Windows 10 the option to sign in using codes sent by text message, the Microsoft Authenticator app, Windows Hello and physical security keys that comply with the Fido2 standard.
The Fido Alliance of industry partners, including Microsoft, Google and Intel, claims that, collectively, Fido2 enables users to authenticate to online services in both mobile and desktop environments using common devices now that multiple major web browsers, including Chrome, Firefox and Microsoft Edge, have implemented the standards and Android, Windows 10 and related Microsoft technologies have built-in support for Fido authentication.
Microsoft also enables users to set up a Microsoft account without a password by entering a mobile phone number as the username and a code sent to that number to initiate a login. Once Windows 10 is logged in, users can log into their device using Windows Hello or a PIN.
The good news is that the passwordless option is also scheduled to be made available to business users through Azure Active Directory, which will allow businesses to become fully passwordless.
Read more about the Fido Alliance
- Fido Alliance announces new identity verification and IoT initiatives to expand the reach and impact of Fido authentication.
- Mobile operating system’s certification accelerates global migration beyond passwords, says Fido Alliance, which seeks to eliminate the world’s dependence on password-based security.
- The time has come for organisations to deploy cryptographically backed strong authentication, according to the Fido Alliance.