Microsoft’s quiet campaign to abolish passwords reached another milestone yesterday with the announcement that Windows 10 and Office 365 users can now log in to Azure AD applications using only the Authenticator App.
The change is so simple it makes you wonder why passwords have seemed so fundamental for so long.
Currently, Windows 10 and Azure AD users log into their Microsoft accounts using an email address and password, which (if it is turned on) requires authentication via one of a number of two-step verification options (such as SMS, or a code generated by the Authenticator app).
Now, once the user has logged in for the last time to enable the feature, all future logins happen by entering the user name and approving a notification that pops up on the Android or iOS Authenticator app.
Approve that and the login is confirmed using the smartphone’s fingerprint reader, facial recognition or PIN – all without a password in sight.
It’s very similar to Microsoft’s Windows Hello face ID authentication, but without the need to own an expensive high-resolution camera. It’s also a bit like Google’s Prompt, which approves logins using push notifications but only after the user has already entered their username and – of course – an account password.
Clearly, Microsoft has decided that the app residing on the smartphone is now ready to become the primary factor whereas Google is evolving in that direction but hasn’t yet decided to make the final jump.
The benefits of Microsoft’s new app authentication are twofold:
- Phishing attacks will be unsuccessful because access no longer depends on stealable passwords.
- While no more secure than the best types of multi-factor authentication, it is quicker (i.e. no codes to generate, or physical tokens to fumble with).
A possible downside is that it depends heavily on the first factor – the smartphone app – and smartphones aren’t always well secured from physical access if they’re stolen or lost.
The app asks the user to confirm each login using whichever security mechanism is being used by the smartphone itself. On an iPhone that would be Face or Touch ID, while on Android that would be Google’s less battle-hardened equivalents, or perhaps even a simple four-digit PIN code.
Shifting the weak point to the device
For sure these will improve over time but anyone who wants to turn on Authenticator access to their Microsoft account now should assess the security of their smartphone first. While it’s true that simple password and username access is even less secure, it could be argued that abandoning the password completely simply shifts the weak point to the device.
Another emerging approach that adds a greater level of security is to keep the authentication part of the process on a separate physical token such as the YubiKey, version 5 of which was released this week.
This adds FIDO2/WebAuthn support, an emerging standard that can also be used in a passwordless single-factor way. The main advantage of WebAuthn is that it supports lots of websites and not only Microsoft’s.
Whichever gains traction (and Microsoft also supports WebAuthn by the way), users could be entering a strange world where one factor starts becoming better than two for many people.
Mahhn
So if you don’t have an smartphone (Battery died, or you don’t want/can’t afford one), you can’t access online accounts. Yeah, great plan. Keep the war on the poor going MS.
M Fota
Hi Mahhn,
Still you can sign in with the password in case the mobile phone is offline for any reason, watch the video above from Microsoft support.
Cheers.
Mahhn
Yes I see that. I was referring to the story being around: “Microsoft’s quiet campaign to abolish passwords”. I think that was the meat of the some of the other comments too.
Simon McAllister
“abandoning the password completely simply shifts the weak point to the device”
Why abandon the password? Is it not a better solution to keep the ‘multi-factor’ elements in place? I prefer keeping the “something I know” factor – particularly if I’m then prompted on another device (something I have) for approval.
The MS Authenticator app works that way and if the password entry for a resource is no longer required, it will alert me every time someone attempts to login with my username…. duh!
Obvioulsy I wouldn’t tap ‘allow’. But Keep that password in place please – it eliminates those concerns and those mentioned above regarding weak points in non-secure devices.
I understand the frustrations with managing multiple passwords, but if we’re talking about a login password to something that down the line provides us with access to other secured resources, then maintaining the multi-factor elements should be of upmost importance.
Anonymous
If you want to log into Windows 10 but there is no internet at the time, how do you do it? If there is no internet connection how will Windows 10 use your phone to authenticate?
MikeP_UK
I don’t have a ‘smartphone’ and have no need to spend silly money to get one. But I use passwords and PINs as well as TFA when possible. So I am being penalised by Microsoft just because I don’t do what they want me to do.
Daft M$ again.
Chuckvdl
“A PIN is not a P@ssw0rd” . except now it is.. and seriously, who has a truly ‘strong’ password on a mobile device where typing a long or complex password is a PITA. I don’t know anyone that has a more secure password on their phone than their computer, email, etc.
What prevents the lazy executive type from enrolling in this and then just turning off password security on the phone?
Nabil Alanbar
The device policy applied via O365.
DB
So, granted they got rid of the most troublesome factor but it’s still single factor. Now, instead of it being “something you know” and “something you have”, it’s just “something you steal” or “something you pick up from the Starbucks where that guy just left it.”
Jeff Jones
It would be great if Microsoft offered an “On-boarding” process for new mobile devices used for authentication, to be vetted against current risk. Something like ensuring the phone hasn’t been rooted, or malicious apps aren’t residing on the phone before allowing authentication to take place.
Robert Crow
I like being able to use the fingerprint reader on my phone as a way to verify my password. But not the only way. I have pulled into the interstate with my phone setting on the hood of my car.
If only my phone controlled access I would be screwed. My toddler is the reason I don’t want a key chain accessory to control access also.
User defined passphrases and challenges, not from public records. Not weird complex one time passwords that are either likely to be lost or kept somewhere secure and hard to get to. Not places I lived 20 years ago that someone researching me knows but that I couldn’t remember then. Seems a better way to secure things to me.
So enter your ID, then either verify with your key device or answer riddles three.
GGma
71 years young here…have no need for mobile phones, but do want to keep my info safe. Also do NOT want to have facial recognition and/or fingerprint ID…way too 1984 and Big Brother for me. Why can’t sites allow those of us without the fancy phones a two factor authentication? I am willing to have sites, call my unpublished number with a code or have a code emailed to another email address not associated with the site I want to get to. This takes maybe 10-15 seconds longer and I am not in that much of a hurry. Also suggested above was the personal questions authentication…much safer than using a less secure fancy phone or even the email/phone call. It’s what my bank and one of my credit cards uses…would not think of giving these answers to those faulty, unsecure credit reporting agencies, which makes it a more secure way to sign in.
Paul Ducklin
Some sites do support voice-based 2FA to landlines (or mobiles for that matter) where the code is read out to you.