This post is based on Sarah Scott’s Microsoft Ignite session “A World Without Passwords.” Click here for the full session.
Most data breaches start with a password. This is especially true when it comes to weak, default, duplicate, or stolen passwords.
Microsoft’s Principal PM Manager, Sarah Scott, gave an overview at Microsoft Ignite on how passwords are at the center of a never-ending security onslaught. The best way to get rid of this problem according to her? Get rid of passwords entirely.
“The username/passwords paradigm is more than a hassle; it’s a true security challenge.”
Microsoft Core Services Engineering and Operations (CSEO) consists of security experts who build and run the systems that run Microsoft, and they’re well on their way to eliminating passwords for employees once and for all.
During the session, Sarah went over how to deploy a similar framework in your own organization using Azure Active Directory as well as several ways to get your organization ready for a world without passwords. Here are some of the highlights:
Require Unique Passwords
If you need to keep passwords at your organization, an easy way to make your environment more secure is to ban generic passwords in Azure AD.
Microsoft found that complexity requirements and resets aren’t nearly as effective as requiring a unique password. This works against a password spray attack, where an attacker attempts to guess passwords across an environment.
This tactic can lead to two potential benefits when paired with an extension on password lifetime:
- Users veer away from using seasonal passwords (i.e. Fall 2019), and
- Users become much less likely to provide a password during a phishing attempt.
Although this method doesn’t eliminate passwords, it can provide immediate security benefits before that rollout takes place.Looking for tips to improve your organization's security? Check out this Ignite recap: Click To Tweet
Enable Password-less Credentials
Two-factor authentication methods teach users not to rely on a password and incrementally moves them away from the password experience.
These two-factor methods tie credentials to a device with a biometric or PIN. With this, your users can begin to adapt to authentication without a password.
But isn’t a PIN just another version of a password? As Scott explains, a PIN interacts directly with the device it’s being used for, unlike a password that is transferred over a wire or the internet.
To learn more about password-less two-factor authentication methods, check out this Microsoft Ignite session by Libby Brown.
Adopt Modern Authentication
Old tech stacks won’t immediately support password-less authentication, so it’s important to update your device standard. This way you can move towards standards-based modern authentication protocols.
If you’re using a Microsoft tenant you can utilize Azure Active Directory, but any identity service provider you’re using will be able to support modern authentication protocols.
Remember, it’s never too early to get your application developers started on enabling password-less flows in your environment.
Block Basic Authentication
Authentication methods that require passwords are referred to basic or legacy authentication protocols. Microsoft is identifying these protocols and then blocking them.
In your organization, basic authentication that isn’t being actively utilized can potentially be used by malicious actors.
To move forward, your organization should get started with gathering sign-in logs and information to understand where basic authentication is and isn’t being used.
Scott explains that preventing cyber-attacks on user authentication starts with not even having user passwords to begin with.
Get your users comfortable with two-factor authentication, make sure that password changes are being executed in a phased rollout, enable modern authentication, and block legacy authentication. These are all ways for you to get started with a password-free environment.
Prepare your environment to be password-free by making progress on any of these steps. Good luck on your journey to a password-less future!