{"id":127511,"date":"2023-05-04T06:00:00","date_gmt":"2023-05-04T13:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=127511"},"modified":"2023-05-15T23:03:09","modified_gmt":"2023-05-16T06:03:09","slug":"how-microsoft-can-help-you-go-passwordless-this-world-password-day","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/05\/04\/how-microsoft-can-help-you-go-passwordless-this-world-password-day\/","title":{"rendered":"How Microsoft can help you go passwordless this World Password Day"},"content":{"rendered":"\n

It\u2019s that time of year again. World Password Day is May 4, 2023.1<\/sup> There\u2019s a reason it\u2019s still going strong 10 years after being created by cybersecurity professionals. A recent study that analyzed more than 15 billion passwords found that the top 10 most popular passwords still include easy-to-crack combinations like \u201c123456\u201d and \u201cqwerty.\u201d2<\/sup> With that level of security, many organizations are essentially leaving the front door open. Sharing your password for a streaming service may seem harmless (their accountants might disagree), but this behavior sometimes bleeds into the workplace, where weak or shared employee passwords often become one of the largest security threat vectors that companies face.<\/p>\n\n\n\n

In 2022, Microsoft tracked 1,287<\/strong> password attacks every second<\/strong> <\/sup>(more than 111 million per day).3<\/sup> Phishing is an increasingly favored attack method, up 61 percent from 2021 to 2022.4<\/sup> And our data for 2023 shows that this trend is continuing. Passwords should play no part in a future-looking credential strategy. That\u2019s why you don\u2019t need a password for Microsoft Accounts\u2014hundreds of thousands of people have deleted their passwords completely.5<\/sup><\/p>\n\n\n\n

For stronger, streamlined security, Microsoft passwordless authentication<\/a> can help your organization eliminate password vulnerabilities while providing simplified access across your entire enterprise. In honor of World Password Day, this blog will help you make the case to your organization that when it\u2019s time to \u201cverify explicitly\u201d as part of a Zero Trust strategy, modern strong authentication using phishing-resistant passwordless credentials provide the best security and an excellent return on investment (ROI).<\/p>\n\n\n\n

Go passwordless for simplicity, security, and savings<\/h2>\n\n\n\n

If you\u2019ve read my blog on why no passwords are good passwords<\/a>, you know my feelings on this subject. To quote myself: \u201cYour password isn\u2019t terrible. It\u2019s definitely<\/em> terrible, given the likelihood that it gets guessed, intercepted, phished, or reused.\u201d As Microsoft Chief Information Security Officer Bret Arsenault likes to say, \u201cHackers don\u2019t break in\u2014they log in.\u201d<\/p>\n\n\n\n

Passwords alone are simply not sufficient protection. Old-fashioned multifactor authentication bolts a second factor onto a password to add a layer of protection, but the most popular of these\u2014telephony\u2014is also the most problematic (see my blog about hanging up on phone transports<\/a> to understand why telephony is a poor option for multifactor authentication). Even with strong methods, like using Microsoft Authenticator<\/a> to augment a password, you still have the vulnerability of the password itself. The best password is no password\u2014and you can get there today with Windows Hello<\/a>, security keys, or, my favorite, Microsoft Authenticator.<\/p>\n\n\n\n

\"Graphic<\/figure>\n\n\n\n

Figure 1. Identity protection methods are not made equal; certain protections are far more secure than others.<\/em><\/p>\n\n\n\n

In 2022, Microsoft committed to the next step of making passwords a thing of the past by joining with the FIDO Alliance and other major platforms in supporting passkeys as a common passwordless sign-in method<\/a>. Passkeys aim to not only replace passwords with something more cryptographically sound, but that\u2019s also as easy and intuitive to use as a password. Passwordless technology, such as Windows Hello, that\u2019s based on the Fast Identity Online (FIDO) standards, strengthens security by doing the verification on the device, rather than passing user credentials through an (often vulnerable) online connection. It also provides a simplified user experience, which can help boost productivity as well.<\/p>\n\n\n\n

That was the goal when longtime Microsoft collaborator Accenture decided to simplify their user experience by removing the requirement for password authentication. With 738,000 employees spread across 49 countries, the company decided it was in its best interest to make their identity and access management (IAM) automated and easy. Accenture chose the Microsoft Authenticator app, Windows Hello for Business<\/a>, and FIDO2 security keys<\/a> as its passwordless authentication solutions. As described in their case study, the results are already being felt: \u201cThe adoption of passwordless has led to faster login times, more reliable experience, fewer failed authentications, and improved overall security posture.\u201d6<\/sup><\/p>\n\n\n\n

Whether you\u2019re part of a global organization like Accenture or a small startup, the authentication methods policy in Microsoft Azure Active Directory<\/a> (Azure AD)\u2014now part of Microsoft Entra<\/a>\u2014allows your IAM team to easily manage passwordless authentication for all users from a single pane of glass. Even better, a recent Forrester Consulting study found that a composite organization based on interviewed customers securing its business apps with Azure AD benefited from a three-year 240 percent ROI<\/a> (a net present value of USD8.5 million over three years) while reducing the number of password reset requests to its help desk by a significant 75 percent annually.7<\/sup><\/p>\n\n\n\n

Multifactor authentication can\u2019t do it all<\/h2>\n\n\n\n

A 2021 report by the Ponemon Institute found that phishing attacks were costing large United States-based companies an average of USD14.8 million annually.8<\/sup> That\u2019s way up from 2015\u2019s figure of USD3.8 million. Microsoft alone blocked 70 billion email and identity attacks<\/a> in 2022. But on the positive side, multifactor authentication has been shown to reduce the risk of compromise by 99.9 percent for identity attacks.9<\/sup> That\u2019s a pretty stellar statistic, but it\u2019s not bulletproof; especially when considering that SMS is 40 percent less effective than stronger authentication methods.10<\/sup> Attackers are always learning and improvising, as shown in the rise of multifactor authentication fatigue attacks<\/strong>. In this type of cyberattack:<\/p>\n\n\n\n

    \n
  1. The threat actor uses compromised credentials (often obtained through a phishing attack) to initiate an access attempt to a user\u2019s account.<\/li>\n\n\n\n
  2. The attempt triggers a multifactor authentication push notification to the user\u2019s device, such as \u201cDid you just try to sign in? Yes or no.\u201d<\/li>\n\n\n\n
  3. If the targeted person doesn\u2019t accept, the attacker keeps at it\u2014flooding the target with repeated prompts.<\/li>\n\n\n\n
  4. The victim becomes so overwhelmed or distracted, they finally click \u201cyes.\u201d Sometimes the attacker will also use social engineering, contacting the target through email, messaging, or phone pretending to be a member of the IT team.<\/li>\n<\/ol>\n\n\n\n

    One widely publicized multifactor authentication fatigue attack happened in September 2022, when an 18-year-old hacker used the compromised credentials of a contractor to gain access to a major rideshare company\u2019s internal networks. Once inside, he was able to access tokens for the company\u2019s cloud infrastructure and critical IAM service. Our research was ahead of this type of attack back in 2021 when we built multifactor authentication defenses into the Authenticator app, including number matching<\/a> and additional context<\/a>. To learn more, be sure to read my blog post: Defend your users from multifactor authentication fatigue attacks<\/a>.<\/p>\n\n\n\n

    All identity protection rests on Zero Trust<\/h2>\n\n\n\n

    Zero Trust<\/a> is just another way of describing proactive security. Meaning, it\u2019s the measures you should take before bad things happen, and it\u2019s based on one simple principle: \u201cNever trust; always verify.\u201d In today\u2019s decentralized, bring-your-own-device (BYOD), hybrid and remote workplace, Zero Trust provides a strong foundation for security based on three pillars:<\/strong><\/p>\n\n\n\n