Skip to content
Naked Security Naked Security

Microsoft could soon be “password free”

Is it the beginning of the end for passwords?

As each New Year rolls by, someone somewhere usually predicts the death of passwords as a trend for the coming months.
Every year so far, they’ve been proved wrong – somehow passwords cling on despite an exhausting list of maladies, mostly to do with how easy they are to forget, steal and misuse.
The moral would seem to be never to listen to predictions about passwords. However, post-Christmas comments by Microsoft chief information security officer Bret Arsenault offer a small but tantalising sign that the password age might finally be nearing its end.
The evidence is usage figures for Windows Hello, the company’s technology for authenticating Windows users using facial recognition.
Launched in 2015 as part of Windows 10, Arsenault said that Hello was now the default way for the company’s 125,000 employees to log into computers.

The majority of Microsoft employees already log in to their computers using Windows Hello for Business instead of passwords. Very soon we expect all of our employees will be able to go completely password free.

No surprise that Microsoft might champion its own security technology, but Arsenault goes on to make an argument for replacing passwords that will strike a chord among professionals who manage credentials.

For several decades, the industry has focused on securing devices […] but it’s not enough. We should also be focused on securing individuals. We can enhance your experience and security by letting you become the password.

Whatever one thinks of Windows Hello, or biometrics in general, his observation sounds fair.
Passwords were created for a world of devices and systems, not one in which the need to verify a person’s identity in real time using something more substantial than a string of characters has become pressing.
One view is that multi-factor authentication (MFA) does this without the need to abolish passwords completely but the counter argument is that leaving passwords in place is both unnecessary, complicated and needlessly insecure.
Better the clean break with the past. As Microsoft says in its Hello marketing spiel – “you are the password.”
A caution is that while facial ID systems abolish passwords – unique data hopefully known only to the user – they don’t abolish the fact that discrete data must ultimately underpin this.
In the case of Hello, that’s biometric data, which has to be stored somewhere, which Microsoft recently made clear should be inside a Trusted Platform Module (TPM) chip.


As November’s scare over Infineon TPMs reminded us, these are not invulnerable. Changing a compromised password is hard enough but doing the same for a lost face, finger or voice print might be impossible.
Nor, ironically, has Hello itself been immune from security worries, such as the recent research that found that it could be spoofed by nothing more complicated than a specially-made infra-red photograph of the account holder.
Ironically, the research served to underline how hard it would be to defeat Hello under real-world conditions.
Getting hold of a high-definition IR photograph of an account holder wouldn’t be trivial, while some of the technical weakness revealed by the attack were connected to the immaturity of the camera hardware Hello needs for facial recognition (some don’t support Hello’s advanced anti-spoofing).
It could be the cost and maturity of facial recognition cameras that presents the biggest barrier to Hello, not a reluctance to let go of passwords.
As Microsoft notes:

Already, roughly 70 percent of Windows 10 users with biometric-enabled devices are choosing Windows Hello over traditional passwords.

Which perhaps begs the question of why 30% of users who’ve invested in a camera aren’t using it with Hello.
Perhaps what will unshakle users from passwords will be a patchwork of biometric systems (see Apple’s Face ID as a leading contender), of which Hello will only be one. However much security this claims to add, it won’t necessarily be simpler or cheaper for users.
Will anyone miss passwords when they eventually disappear? That seems unlikely, but at that probably far off moment there will be plenty of people feeling very nostalgic for the simpler world they served.

28 Comments

I assume this is hype. I have no intention of adding a camera to my desktop (or uncovering the camera on my laptop) so will they remove my ability to secure my computers by getting rid of passwords entirely? I doubt it.

What’s wrong with a fingerprint scanner? The industry has finally gotten them to actually work. We’ve been led to believe nothing is as unique as a fingerprint, have we been lied to?

The fact that we leave fingerprints on everything we touch, and they are fairly easy to copy?
People like the Chaos computer club have demonstrated that they can in a matter of hours create a working fake finger that will fool a scanner from nothing more than a photograph, a laser printer and some wood glue.
Given that, would you trust a fingerprint scanner to protect your touchscreen device from even a jealous spouse, let alone a hardened criminal, given that it is probably covered in your fingerprints already.

What about the legal ramifications, where LEO’s can force an individual to provide what they are /have (biometrics), and not what they know (passwords) without warrants?

Seriously?
Until technology can decipher/interpret information stored in my brain, keep the option to use a password ‘as well as’ windows hello please

I’ll still be using passwords far into the future. Probably not a good idea to secure your account with something that you can’t hide. Say cheese!

The article fails to mention how we would be screwed each day when our $5000 PCs wont recognize our faces and force us to put the password in anyways. A lot of the time there isnt enough light in the room for mine to work. It makes me look at the screen for a long time and then locks my computer. Real safety and convenience! Fingerprint scan on iphone is dodgy too. I put in the fingerprint 5 in the memory times and I still have to futz around for a long while before it locks me out and I have to put my password. Thanks the maker that it still accepts the password or Id be throwing out a new phone every day. Face and finger are just to make it quicker to log on, not a replacement for password, the PCs arent better protected when the legitimate user cant get in.

Remote login? I foresee difficulties for admins and so on – but I expect it can all be worked around . . . somehow!

So what happens if you grow old or are horribly disfigured facially in an accident?

That nags at me whenever facial recognition comes up: What if you’ve been attacked and beaten up, but luckily you still have your phone so you can call for help, only you can’t because it has a facial recognition login and it no longer recognises you?

Microsoft probably expect you to ask your attacker to just work on the midriff so you can at least get help for your injuries by phoning someone or an ambulance. Who knows..you may get a courteous attacker :)

Historically you’ve been able to reach 911 and emergency services without the need of logging in to the phone. In the US at least I believe this is codified into the law, and not just an option that phone providers have given us.

Even if the phone is locked. IIRC, the global GSM emergency number 112 is supposed to work at all times; many other emergency numbers from vrious countries (e.g. 911, 999, 000) work fine, too. (Apparently, in the UK you can no longer make emergency calls without a SIM, because of ongoing problems with hoax calls but the phone can be locked.)
Once you have typed in the digits of a recognised emergency number, the phone will offer to place the call right away.

What about employers who want access to an employee’s biometrically secured computer? Or tech consultants hired to work on someone’s computer that is biometrically secured (an IT professional often has to restart the computer or access processes requiring an administrator password)? Or relatives who are trying to access a dead person’s biometrically secured computer? Or simply a friend or relative given permission to use a secured computer? Or a user or those who have permission from the user who want to access the computer remotely?

Presumably Microsoft admins access employee computers after authenticating themselves via Hello (a version of that scenario would apply in the other situations you raise).

> Nor, ironically, has Hello itself been immune from security worries, such as the recent research that found that it could be spoofed by nothing more complicated than a specially-made infra-red photograph of the account holder.
Not too hard, eh? Here’s an Infrared camera for iOS or Android for $199.
[url redacted]
> Getting hold of a high-definition IR photograph of an account holder wouldn’t be trivial…
About as trivial as taking a picture with your smartphone. The high-def model is $399.
[url redacted]

> Microsoft recently made clear should be inside a Trusted Platform Module (TPM) chip.
Aha! Back in 2007 I bought the Lenovo R60e on which I am typing this. I’ve never knowingly used the TPM for anything. There used to be a special disk partition which somehow was accessed via credentials that matched those stored on the TPM. I never was confident about using it, a good thing, since it disappeared when I upgraded to Windows 10. Maybe I could actually use the TPM now. Oh, wait, there’s no camera on this laptop. Oops.

Facial ID (or other biometric systems) sounds good … BUT how about access from another PC, differences in camera resolution, what about the myriad of applications that currently use passwords, or off-site access by technicians. There are many, many things to be worked out before this is ready to roll out.

I have three issues with this:
1) I have no trust in MS, Apple, FB, or any other tech company to take and store my biometrics in a safe and secure manner.
2) What happens when I dye my hair, grow a beard, shave it, grow a moustache, have a stroke… ???
3) I’d have to remove the band-aid from my laptop’s camera and/or take it apart to hook up the microphone again.

Actually it makes a great deal of sense if you replace the password with facial ID AND KEEP 2FA. This alleviates the risk that compromise of the facial recognition gets people through security, unless they also have access to your 2FA e.g. your phone. It adds a great deal to security in normal use because it stops people sharing passwords (with or without the extra security of 2FA) – MPs who give their passwords to their staff take note.
One of the problems I have with biometrics is that it needs some tolerance – my fingerprint recognition on my phone does not work for about a minute after I have washed my hands, and for days if I have been doing DIY handling rough stuff. In order to make biometrics usable in everyday life, the tolerances have to be widened, but if you keep 2FA you still have a secondary method. It’s all about balancing convenience with accuracy and security. Even facial recognition that can be defeated by experts may be better than poor or shared passwords.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?