facebook rss twitter

Microsoft asserts that "It’s time to kill the password"

by Mark Tyson on 28 December 2017, 14:31

Tags: Microsoft (NASDAQ:MSFT), Apple (NASDAQ:AAPL)

Quick Link: HEXUS.net/qadpal

Add to My Vault: x

Please log in to view Printer Friendly Layout

Passwords are frustrating for many computer and smart device users. OSes, apps, and websites ask for passwords and passphrases of different lengths and structures (with PINs too sometimes) and then you are supposed to use a different password for different logins and change them at regular intervals to remain secure. While techies can offer up solutions such as password managers, a large number of users still regularly use passwords such as 'password' or '12345' to secure their access/data - and then they share this information when they are not supposed to. Can technology come to the rescue? Microsoft thinks the answer is yes, and furthermore, it thinks it is ready to provide the solution with Windows Hello.

Microsoft has published a lengthy blog post calling for the death of passwords. It refers to typed passwords as a "relic from the early days of computing that has long outlived its usefulness, and certainly, its ability to keep criminals at bay". Research points to weak passwords and stolen id as the premier source of data loss with 81 per cent of major data breaches due to compromised identities last year.

A new approach taken by Microsoft and other leading tech companies hopes to remove this weak link in security by "making you the password". Of course this is referring to the biometric security tech that is growing in popularity across devices and is extending to homes, cars and so on. In Windows we have Windows Hello tech, introduced in Windows 10.

Microsoft says that already roughly 70 percent of Windows 10 users with biometric-enabled devices are choosing Windows Hello over traditional passwords. With this kind of adoption rate we should see this type of security embraced by more and more third party developers too. Microsoft is part of the FIDO (Fast IDentity Online) Alliance which seeks to provide open standards for simpler, stronger authentication. In addition to biometrics FIDO adds hardware and mobile-based authenticators to identity. Other important FIDO members are the likes of Intel, Google, Samsung, Qualcomm, Visa, MasterCard, AMEX, PayPal, eBay, and more.

The creation of the "password-less world" will of course take time, but with the industry weight behind it and important websites and business applications adopting the likes of Windows Hello, we only need wait for the cultural shift to banish passwords forever, thinks Microsoft, as long as the alternative is easier and better.

Biometric security flaws?

Biometric security failures have been in the news in recent months. In November we saw researchers bypassing Apple Face ID with a mask, and days later there were reports of family relatives being able to log-in as their relations (see comments). For Windows Hello, a week or two ago we saw researchers fooling the camera system with a simple photo. However, it was noted that newer versions of Windows 10, with 'Enhanced Anti-Spoofing' hardware configured, were not vulnerable. Even if vulnerable, both Apple and Microsoft's systems are surely an improvement over easily guessable and widely shared passwords.

Apple FaceID failed to secure this lady's iPhone. Her son could easily log in too.



HEXUS Forums :: 30 Comments

Login with Forum Account

Don't have an account? Register today!
No thank you Microsoft. Won't be using Windows Hello, now or ever.
To convince people you need to lay out what this will look like in actual use. How will I transfer biometric authentication between machines, how do I create throwaway logins, how do I get around it if I'm injured and so on.
For me, the most important thing about this technology is that we're still given a choice.

I feel that passwords, at least when I use them, are sufficiently secure.

But at the same time, I'm aware of the inherent weaknesses of passwords when dealing with systems used by the general public, face/voice/iris ID etc. could be preferential if it means that my systems aren't blamed for being hacked in to when someone uses 123456 as their password.
Very technology dependant, and as demonstrated it isn't yet up to the standards it should be.
Passwords have the advantage of being easily, and cheaply implemented.
Biometric security is something we need to pay extra for, and it is still failing to do what it should be.
Big Brother is watching with gleeful interest…