Should You Remove Your Passwords And Switch To Passwordless Login?
The “passwordless future is here”, according to Microsoft. But should you delete your passwords and switch to a passwordless method of authentication? We ask the experts.
By Joel WittsUpdated Mar 28, 2023
In a recent blog post, Microsoft announced users can now delete their passwords, and instead log into all Microsoft applications and services using an authentication app or biometric controls like a fingerprint scan. And when you create a new Microsoft account, you will no longer need a password.
This means the “passwordless future” is here–for Microsoft services at least–allowing users to finally do away with complex passwords that are difficult to remember and are the number one target for cybercriminals looking for access to their data.
And with Microsoft now recommending users switch to passwordless access, many people and organizations may be wondering if they should make the switch to passwordless authentication. Can passwordless authentication really be more secure than the tried-and-tested password?
To find out, we spoke to leading digital identity experts from across the security industry, to get their advice on whether you should go passwordless.
What Are The Problems With Passwords?
Before we get to the experts, let’s take a step back and consider some of the problems with passwords.
Passwords have been used since the first computers in the mid-1960s, but they’re notoriously unsecure. Too often, they can be easily guessed by cybercriminals, or stolen in phishing attacks that trick users into logging into fake websites and unintentionally giving away their credentials. Malicious software can also be used to crack even highly complex passwords, sometimes in just minutes. Is anyone who uses a password alone reallysafe?
In fact, research has shown that 61% of data breaches are caused by a stolen password, and Microsoft found that over 579 password attacks take place every single second—that’s over 18 billion per year.
But the problems with passwords don’t end there. They’re also inconvenient. They’re a pain to remember, especially when they must be a certain length or complexity. So, people often use passwords that are easy to guess, or re-use the same passwords across multiple accounts.
Of course, there are ways you can more easily manage your passwords. We highly recommend the use of a password management solution, which allows you to store and remember passwords much more easily and securely. We also recommend following the “three random word” method of creating passwords, which improves security and helps you to remember key passwords.
Microsoft’s passwordless authentication uses a key-based authentication method to tie user credentials to a specific device, rather than a password. This means that all you need to do to log in is install Microsoft’s Authenticator app on your laptop or smartphone. This can then be used to verify your identity, instead of a password. Alternatively, you can use a security key or a verification code that is sent to your phone or email.
When setting up the authenticator app, you can configure extra levels of security, including PIN-codes, fingerprint scans, or even facial recognition. This is far more convenient than a password, and in some ways more secure, as it’s much harder for a cybercriminal to hack your fingerprint than your password.
But is going passwordless really more secure in the long run? We spoke to four experts from leading providers in identity and access management to find out what they think about Microsoft’s move to passwordless technology, and if users should make the switch.
Chief Security Evangelist at ESET
“The numerous data breaches that have resulted in the disclosure of passwords, as well as users’ willingness to re-use passwords and the growing need to secure personal and sensitive data, be it your own or your employers, mean strong authentication is mandatory. Cybersecurity experts such as myself have been advocating for some time that—whenever possible—multi-factor authentication, or two-factor authentication should be used.
The continual pressure caused by cybercriminals who are adept at finding new ways to circumvent security controls means that all security technologies and processes need to evolve over time. Microsoft’s move to a password-less environment is just a step in this evolution.
Using biometric, hardware or app-based authentication removes the possibility for cybercriminals to attempt credential stuffing, password spraying, brute force attacks and such like, it enhances security. It is important to note that SMS—one of the methods being used by Microsoft—does not alleviate the significant risk from SIM swapping/hijacking where the cybercriminal intercepts the SMS messages by controlling the SIM. I do not recommend using SMS as an option in a passwordless environment.
Should users move to passwordless authentication?
In a business, the decision on whether to move to a passwordless environment is the decision of the information security team, and it should be coordinated and deployed with the most appropriate alternate method to authentication such as an app authenticator, hardware token or other mechanism.
If the decision is not corporate and is user choice, then passwordless is a good option as long as the solution provided enforces multiple factors—something you have and something you know—for example, an app-based authenticator that requires you to unlock your mobile device to access a code needed to authenticate. However, I note the same caution as above regarding SMS-based authentication.
A passwordless solution should be coupled with security intelligence. For example, a user should not be able to login from California and then two hours later from London. Using data to validate that the login is within acceptable conditions provides an additional layer to establishing the authentication of the user.”
“Changing to passwordless security is one of the pillars that enable organizations to deploy zero trust, one of the best security practices to strengthen cybersecurity, and enable employees and contractors to work securely while outside from the corporate network.
Using multi-factor authentication without passwords reduces security threats and costs, and provides a simple, tailored user experience. Organizations can combine multiple inputs: physical cards/keys, biometrics and mobile devices and something users know, as they log into a network, use a computer or access a building.
Should users move to passwordless authentication?
Users should move to passwordless authentication once other authentication offerings are deployed. Going passwordless is a journey—first we need to provide password-replacement offerings, then reduce user-visible password surface areas, slowly transition into passwordless deployment and finally eliminate passwords from identity directories. It takes time and each organization is at a different place in the journey. Users should move to passwordless authentication when organizations offer a secure path.
Going passwordless gives us the option to combine network/software access with established physical access credentials, such as smart cards, key fobs, biometrics and others, as part of the authentication process to access network and assets. It also enables us to use workforce identity profiles and access management software to quickly and smoothly grant, change or cancel access to work areas, software and assets, while also supporting a wide range of security standards, including FIDO, PKI, OTP, OATH and more”.
“This change from Microsoft is a step in the right direction as passwords are inherently weak. On the other hand, it seems more like a push to expand downloads/usage of their authenticator app. Users can still reset their password using an SMS one-time passcode (which has its own security flaws) or email OTP (a bit better, but still not ideal).
But the objective is progress, not perfection, so it’s better than nothing.
Should users move to passwordless authentication?
Absolutely, and they should enable two-step verification wherever possible, ideally using an authenticator app or security key.
People have moved on from phonebooks, fax machines, pagers, dumbphones, PDAs, VHS, DVDs—sticking with passwords seems antiquated (some of those items have come and gone since the logical password was created).
Fewer passwords to create and remember means better security along with an enhanced end-user experience equals a win/win. It’s doubtful we will eliminate passwords in my lifetime but reducing their footprint means there’s nothing to steal, therefore devaluing them as an attack vector.
There is one possible caveat regarding biometrics for passwordless. Biometrics are the leading password replacement factor, but passwords have better entropy in the sense that if stolen, passwords can be replaced again and again. Whereas once attackers find a way to compromise biometrics (and they will), we all only have one set of fingerprints, eyes, and one face (hopefully) so not as easy to replace.
That said, password risks, inconvenience and costs outweigh the potential downside of passwordless. Single Sign-On (SSO) detractors made similar arguments, saying multiple passwords were a barrier and helped to prevent complete system compromise (we know how well that has worked – poor UX and weak security shouldn’t be a thing). SSO + 2FA/MFA largely quelled that objection. Likewise, risk intelligence is a key component to securing our passwordless future.
I applaud Microsoft as an industry leader for making this option available for users. The technology has been around for some time, but many enterprises are afraid to embrace it as passwords are embedded in their psyche. Microsoft doing it at scale is an important event. At the same time, passwordless is not available for many Microsoft devices, apps, and use cases, including versions of Windows, Office, Remote Desktop, Xbox, etc. And that’s where we struggle as an industry—making passwordless authentication extensible enough for the major and most vulnerable use cases prone to password attacks.
Hopefully others are inspired to make a similar commitment to passwordless. Leaning into authentication standards such as FIDO is important to make passwordless extensible and repeatable. Change management through training, education and awareness (we need a PSA for passwordless) to help users move to passwordless without apprehension is key to driving adoption.”
“After years of promise, it is wonderful to see the beginning of the end of passwords. For too long, fraudsters have leveraged weak, easy to guess, and compromised passwords to hijack accounts, and cause extraordinary financial damage. More recently, entire organizations have been held hostage by hackers leveraging the inherent weakness of passwords.
Microsoft’s move to end the reliance on passwords on the enterprise should be celebrated and embraced. Zero trust practices using Prove’s device-centric passive authentication and unparalleled strong identity binding are leading us to a trusted and secure future.”
Expert Insights is an online publication with editorial and technical teams in the UK and US covering cybersecurity and cloud-based business technologies. We provide listings and customer reviews of hundreds of B2B solutions, as well as editorial buyers’ guides, blog articles, industry analysis, interviews and technical product reviews written by industry experts.
Over a million business owners, IT admins and users visit Expert Insights each year to make the right cybersecurity decisions with confidence.
Joel Witts is the Content Director at Expert Insights, meaning he oversees articles published and topics covered. He is an experienced journalist and writer, specialising in identity and access management, Zero Trust, cloud business technologies, and cybersecurity. Joel has conducted interviews with hundreds of industry experts, including directors at Microsoft and Google. Joel holds a First Class Honours degree in Journalism from Cardiff University.