Microsoft wants to banish 'inconvenient, insecure, and expensive' passwords. So what's going to replace them?
Microsoft wants to banish the use of passwords to log into Windows devices, and has showcased some of the new technologies it wants to use to make this happen.
"Nobody likes passwords. They are inconvenient, insecure, and expensive. In fact, we dislike them so much that we've been busy at work trying to create a world without them -- a world without passwords," said Karanbir Singh, principal program manager for enterprise and security at Microsoft, in a blog post.
Singh said the goal was to make it possible for end users to never deal with a password in their day-to-day lives, and to provide instead user credentials that cannot be cracked, breached, or phished.
For Microsoft, multi-factor authentication and biometrics is seen as a good replacement for passwords -- using a physical key, and/or your face or fingerprint to log into your device instead of a string of letters and numbers.
Singh said that Microsoft's Windows Hello biometric log-in is now being used by over 47 million users and that more than 5,000 businesses have deployed Windows Hello for Business, which is used on over one million commercial devices.
Another technology in the mix is the Microsoft Authenticator app, which allows you to access your Microsoft account using your mobile phone.
Singh said that as part of the Windows 10 April 2018 Update, with Windows 10 in S mode, cloud users -- using Managed Service Account or Azure Active Directory -- can now use their Windows 10 PC (with S mode enabled) without ever having to enter their passwords, by using the authenticator app and Windows Hello.
Microsoft said that, following the ratification of Fast Identity Online FIDO2 security keys by the FIDO working group, it is now updating Windows Hello to enable secure authentication in more scenarios.
Singh said that Microsoft is also working on a private preview for shared PCs to allow users to log on using FIDO2 Security keys, allowing staff to carry their credentials with them and authenticate to any Azure AD-joined Windows 10 shared PC that's part of their organization.
With this, a user can walk up to any device belonging to the organization and authenticate in a secure way without the need to enter a username and password or set up Windows Hello beforehand. Windows Hello FIDO2 Security Key feature is now in limited preview: customers can register for the waitlist if they want to be involved, said Singh.
Scenarios where this could be useful include at a helpdesk, where an employee can walk up to any device and log in using Windows Hello rather than username and password, or in healthcare where medical staff need access to patient records on a device no matter where the patient is located.
Microsoft has previously said that its partners are working on a variety of security key form factors. The security key holds the credential and can be protected with an additional second factor-like fingerprint (integrated into the security key) or a PIN to be entered at the Windows sign-in.
Some examples include USB security keys and NFC-enabled smartcards, or possibly applications on a smartphone that comply with the FIDO2 specification.