News

Microsoft Describes Roadblocks To Going Password-Free

• By Kurt Mackie
• 07/15/2019

Not even Microsoft itself has been able to completely eliminate the use of passwords in its facilities, a testament to the obstacles facing organizations that want a password-free future.

"Currently over 90 percent of our employees are able to sign in to our network without entering a password," according to a post by Bret Arsenault, corporate vice president and CISO at Microsoft. Microsoft is aiming to eliminate passwords across its organization "in about 18-24 months," he added.

One of the stumbling blocks to a passwordless future is legal compliance requirements. The use of user names and passwords is required in some industry segments.

"Until the regulations catch up with the technology, the people in this segment will be forced to continue using passwords," Arsenault explained. To ease matters, he recommended that organizations create two user groups, one group for users subject to the current compliance restrictions and another group for everyone else.

Legacy Authentication
The group that needs to use user names and passwords may be tied to so-called "legacy authentication" protocols use, which Microsoft also refers to as "basic authentication." This technical restriction may be the biggest obstacle to eliminating passwords.

Organizations can face issues when attempting to disable basic authentication because some applications, such as older Microsoft Office apps and apps using certain e-mail protocols (IMAP, POP and SMTP), still use it. These apps and services could get broken if basic authentication gets disabled.

Microsoft described the steps to block basic authentication in this document.

Only organizations purely using cloud services won't be affected by blocking basic authentication, Arsenault explained:

This step [of blocking basic authentication] is time consuming, laborious, and can create headaches when it occasionally breaks services. If your company is already completely in the cloud, and doesn't have any legacy authentication anywhere, you can eliminate passwords very quickly. For the rest of us, it will take longer. 

Another reason for blocking basic authentication is that it doesn't support multifactor authentication, which is a key part of Microsoft's passwordless vision. Multifactor authentication is an added security precaution that involves using a secondary means besides a password to confirm a user's identity. Individuals have to confirm their identities via a response to an automatically sent text message or phone call, for instance.

Hardware Requirements
Microsoft described a few other organizational requirements for going without passwords. Hardware devices should be upgraded to have support for biometric authentication (the use of face scans via a camera or use of a fingerprint reader, for example). They should also be upgraded to include support for Trusted Platform Module 2.0 or FIDO2 or newer versions.

Microsoft recently announced a preview of FIDO2 support for Azure Active Directory, which lets organizations test the use of FIDO2-based cards, USB thumb drives or dongles to sign into Azure AD accounts without passwords. FIDO2, or FAST Identity Online 2.0, is a Web standard for user authentications without passwords that's supported by some device makers and software vendors.

If organizations can't get rid of passwords, Arsenault recommended creating a list of banned passwords using the Azure AD Password Protection service, which became commercially available back in April. The service also blocks the use of common passwords, such as "123456" and "password1," which typically get tried by attackers.

"Taking any of the steps I've outlined above will help improve your security environment, even if the total elimination of passwords is something you won't achieve for years," Arsenault concluded.