Microsoft Inches Toward a World Without Passwords
Apr 20, 2017 11:14 AM PT
Microsoft on Tuesday announced the general availability of its phone sign-in for customers with Microsoft accounts -- a system that could be the beginning of the end for passwords.
The new system requires that customers add their accounts to the Microsoft Authenticator app, which comes in both iOS and Android versions, noted Alex Simons, director of program management of the Microsoft Identity Division.
After supplying a username, a member will get a mobile phone notification. Tapping "approve" on the app will authenticate the member's information.
The new phone sign-in process is easier than two-factor authentication, according to Simons. 2FA requires users first to enter passwords, and then to enter a code delivered via text or email.
The new process is safer than password-only systems, which can be forgotten, stolen for use in a phishing scheme, or otherwise compromised, he said.
Microsoft Authenticator, introduced last summer, started out as a replacement for earlier authentication apps, both for enterprise use in Azure AD and consumer use in regular Microsoft accounts. The initial version allowed fingerprint authentication in place of passcodes, and offered support for wearables including Apple Watch and Samsung Gear.
Setting up Microsoft's new phone-in system is easy. If customers already have Microsoft Authenticator for their personal accounts, they can select the dropdown button on the account tile and select "enable phone sign-in."
Android users will be prompted to set up the authenticator. iPhones will set up the authenticator automatically. Users who don't have a phone available can elect to access their accounts using a password.
Microsoft has not made the phone sign-in system available to Windows Phone users.
Windows Phone makes up less than 5 percent of the active Authenticator Apps user base, Simons noted, so the company has prioritized iOS and Android. When the system achieves success on those two platforms, Microsoft will consider making it ready for Windows Phone.
The idea of moving away from passwords has been around for years, in part due to their vulnerability to hacking.
Microsoft CEO Satya Nadella and Cloud Platform General Manager Julia White discussed the idea of moving away from passwords at the Government Cloud Forum in November 2015.
Microsoft then employed Windows 10 Password to give customers a smart card level of threat detection, using the card as the first level of protection, then Windows Hello for confirmation through biometrics, such as face recognition, iris scanning or fingerprints.
Better Than 2FA?
The new functionality from Microsoft is not groundbreaking, but it represents a true upgrade from traditional password authentication methods, suggested Rik Ferguson, vice president for security research at Trend Micro.
"This technology is definitely an improvement over using authenticator apps to generate one-time passwords, which can still be hijacked through a man-in-the-browser attack," he told the E-Commerce Times.
The new app represents true two-factor authentication in the same way Apple uses its Trusted Device authentication or Google uses its prompts.
Using interactive prompts or using an out-of-band trusted device like a smartphone rather than one-time passwords from an authenticator app or SMS does away with having data pass through the same browser, Ferguson added.
However the new system doesn't necessarily make logins more secure, Trend Micro Cloud Security VP Mark Nunnikhoven told the E-Commerce Times.
Microsoft's approach substitutes "something you know," the password, with "something you have," the phone, he said, but it is not as strong as genuine two-factor identification.