Microsoft’s Allegedly “Passwordless” Login Isn’t All It’s Hyped Up to Be

Microsoft’s Allegedly “Passwordless” Login Isn’t All It’s Hyped Up to Be

Microsoft made a bold statement last week when it suddenly announced that their users can now ditch their passwords and log in using Microsoft Authenticator, Windows Hello, a physical security key like a Yubikey, or an SMS/email verification code.

Microsoft rolled out passwordless login for its business and education customers earlier this year, but this is the first time consumers can take advantage of it — and who wouldn’t? People tend to lose or forget their passwords, especially as the number of online accounts they have pile up. They also engage in poor password practices, such as using weak passwords, reusing passwords across accounts, and keeping track of them insecurely. This is why over 80% of data breaches, and about 75% of ransomware attacks, are due to compromised passwords.

Microsoft getting rid of passwords is a good thing, and it’s a sure sign that passwords are on their way out the door — right?

Not so fast.

Passwords Aren’t Going Anywhere

Just like other flavors of “passwordless” login, such as biometrics, Microsoft’s “passwordless” technology doesn’t actually banish passwords into the ether. It simply abstracts them away from the end user’s view. Let’s take a look at how it works:

  • When new users initially set up their Microsoft account, they have to choose a password — yes, even though Microsoft has “gone passwordless.”
  • Only after logging in with that password can users choose to “go passwordless” by choosing an alternate single-factor authentication method such as Microsoft Authenticator.

There are several caveats here. Perhaps the biggest one is that the new “passwordless” authentication factor isn’t really “passwordless”:

  • When an end-user fires up their Microsoft Authenticator app, inserts their security key, or even touches the fingerprint pad on their Windows keyboard, the authenticator performs a “true-false” query.
  • Then, the authenticator pulls whatever password the user created when setting up their Microsoft account out of the device keychain, and sends it to Microsoft.
  • If there’s a match, the user is logged in.

Bottom line: A password is still being used. It’s just out of the end user’s eyeshot.

Additionally, multi-factor authentication (MFA) has been proven to be extremely effective at preventing breaches, because even if a cybercriminal gets hold of a working password, it’s useless without the second factor. By using a single-factor authentication model, Microsoft is arguably taking a step backwards. All a cybercriminal needs to do is steal your phone, security key, or fingerprint, and they can access your Microsoft account.

Here’s some more bad news about Microsoft’s “passwordless future”:

  • You can’t use competing authenticator apps, like Authy and Google Authenticator — only Microsoft Authenticator. Because Microsoft is notorious for wanting to keep their users within the Microsoft ecosystem, it’s unlikely this will change.
  • You still have to sign into your phone with a password, and you have to unlock it using some combination of biometrics and a PIN.
  • You still have to sign into all of your non-Microsoft accounts with a password.
  • What happens if you lose your phone — and access to Microsoft Authenticator? Good question. You may want to make sure that never, ever happens.

Keeper Is the Universal Passwordless Tech

Keeper’s password security and encryption platform brings “passwordless” technology to both individuals and businesses right now, and it works on all apps and websites. In addition to abstracting away complexity by autofilling passwords (and even 2FA codes) on websites and apps, Keeper automatically generates unique, random passwords, making it easy for users to use them for every site. The passwords are still there, but users don’t have to memorize all of them, and they’re stored within a secure vault that can be accessed from any device.

Keeper’s business plans give IT administrators complete visibility into employee password practices, enabling them to monitor adoption of password requirements and enforce password security policies organization-wide. Keeper takes only minutes to deploy, requires minimal ongoing management, and scales to meet the needs of any size organization.

Not a Keeper customer yet? Sign up for a 14-day free trial now! Want to find out more about how Keeper can help your organization prevent security breaches? Reach out to our team today.