Eradicating passwords – first steps of a year-long journey
What an announcement! In case you haven’t heard, Microsoft has officially embarked on a journey to eradicating passwords in enterprises. The article has been published on the Azure Blog and there is already new fancy entry page: aka.ms/gopasswordless.
That makes Microsoft the first company that not only talks about passwords, gives advices around good and bad passwords (here’s an earlier whitepaper about passwords) but now actively seeks to eradicate passwords both in the enterprise as well as the personal space. With Identity as the center piece for modern workers – that may be a key change to protect corporate assets. However, being a center piece may also mean that enterprise today will be disrupted – and users must change their way of working, to kiss passwords goodbye, no?
Why passwords need to go
We’ve all been there, taking the easy route for either a corporate password or access to a personal web site. It’s only human to be lazy with a piece of information that isn’t dear and near to your heart, but shouldn’t. Who could blame their end users?
Let’s be honest, passwords are:
- Shitty to remember, because complex, it must contain numbers
- Annoying to enter, the more complex they are
- Painful to enter, the more shiny my device is, if it doesn’t come with a keyboard
- Never unique, because I can use it in many places with varying protection (corporate resources, PayPal, eBay, Dave’s Garage Webshop, Tailspin Toys China).
over the years, we’ve managed to maneuver our end users into a state where we require complex passwords that made them do write passwords down or figure one good password out and then iterate through a number in the end (“ContosoPassword!1”, “ContosoPassword!2” or “ContosoSummer2018”, “ContosoAutumn2018”, …).
What is Microsoft doing?
Instead of passwords, Microsoft will embark on a journey to use other means to protect people’s identities. Usually, that’s a secret or a changing code on a device, protected by a PIN or biometrics or any sort of unique or even personalized way of unlocking. In addition, it will be a goal to easing some of the deployment pain that some technologies of earlier days may have had (think smart cards).
There’s different ways:
- Protect credentials through biometrics and only unlock them with the right face, finger print, blood sample (just kidding)
- Use proven protocols and practices to verify the credentials, once unlocked (OATH, certificates, keys) transmitted and verified via well-known industry protocols
- Make it so that the deployment is easy and not a nightmare
This may succeed, if the following factors are true – and yes, this will take some time:
- Users can carry this extra thing around – or at best – don’t carry anything extra. (think token, smart phone, small key)- or best case: their face, thumb print)
- Deployment and roll out must be as seamless as possible.
- It works for on-premises just as nicely as it does for the cloud – many companies are not “cloud only” and will be for quite some time, that’s just a reality.
- We can eradicate all entry points were there’s a traditional password prompt and a user must remember their password
There are already some companies who have started to think about passwords differently. Since passwords must be complex and users are prone to change passwords, once they have a good one, only to slight variations, there’s little value in having users change a *decent* password every 90 days. So why not have users change their password only once a year – and make sure they choose a good password?
So what organizations do is:
- Educate users and continue the battle
- Remove clear text password transmission and old protocols where passwords are still used
- Try and ensure people choose good password and don’t choose crappy ones (have you looked at Azure AD Password Protection, in preview now?)
- Adapt the password change interval to sic (6) months or even to once a year.
Clearly, this is a journey that Microsoft is undertaking, and it will take time to eradicate passwords entirely. Ultimately, this is not only a question that one identity solutions provider or platform provider can solve – but a question of industry-wide cooperation to do the right thing – and build applications that can support all of this. And, customer’s pushing for innovation to get these apps modernized.
There are a number of things, however, that you can do today, to ease the “password pain”:
- Go deploy Windows Hello for Business today – this gives your users convenient SSO to Windows AD as well as Azure AD applications – and it’s true Multi-factor authentication every time the user unlocks their device (1st factor: a PIN or their biometrics, 2nd factor: their device that has a secret/key that’s protected by the first factor, that can’t leave the device).
- Eradicate all “special” applications that keep their own login logic, password prompts and user stores. Make them talk modern protocols (OpenID Connect, OAuth for authZ, etc.)
If you are an Azure AD customer, these are additional GO-Dos:
- Look at password protection for Windows AD through Azure AD
- Deploy the Microsoft Authenticator app to your user’s corporate phones. There is a preview for password-less sign-in with your phone, with the Microsoft Authenticator app.
- Look at switching off “legacy authentication” with Office 365 and Azure AD in general – that prevents authentication flows that still use “traditional” and “non-modern authentication” flows from authenticating – kiss those old, weak protocols such as SMTP, POP goodbye – as described here, (beware, this needs a good understanding of your client landscape and testing)
- Use Azure MFA and SSPR today and have your users enroll to the service – so they can unlock and use the plethora of non-password options for MFA that there are there today.