Why Does Microsoft Want You to Switch from Passwords to Biometrics?

In a recent interview with CNBC, Bret Arsenault, Microsoft's Chief Information Security Officer (CISO), found the perfect words to describe one of the most common cybersecurity misconceptions. When speaking about the methods criminals use to launch attacks, he said that 'hackers don't break in, they log in'.

This is indeed one of the reasons why we have such a big problem. Ordinary users are left with the impression that a cyberattack can only be pulled off by a sophisticated threat actor that has both the skills and the motivation to exploit the latest zero-day vulnerability and crack open apps that have never been hacked before. What people fail to understand is that more often than not, hackers don't really hack anything. They just impersonate the victim by using their login credentials.

The problem with passwords

The said login credentials and their weaknesses were at the center of CNBC's material. To prove his point, Mr. Arsenault reminded us about the events surrounding NotPetya – a 2017 attack that managed to cripple thousands of computers all around the world. The mechanisms that allowed it to spread so quickly made NotPetya especially powerful, and although some of that functionality came because of a few leaked NSA hacking tools, the experts noted at the time that most of the infections were made possible by the malware's ability to steal admin passwords. Arsenault reckons that the best way to minimize the future risks of attacks like NotPetya is to stop using passwords.

Indeed, there's little point in discussing how flawed the traditional password is. We've already touched upon this particular question, and in any case, anyone who has been faced with the task of creating a new online account or logging in to a very old one can testify just how much of a pain it can be. And yet both individuals and organizations continue to put their most valuable online assets behind the old authentication mechanism that we all know and hate. According to Microsoft, it's high time we stop this.

Microsoft tries to kill off the password (again)

Microsoft A-level management has been voicing its concerns regarding passwords for years now. As some of you may remember, way back in 2004, Bill Gates said that the password is on its way out. Obviously, his prediction hasn't really hit the bullseye, but, credit where credit's due, his multi-billion-dollar behemoth is trying to do something about it. The Windows Hello feature in Windows 10 has been a particularly big project.

Launched in 2015, it provided a way of unlocking supported Windows devices either with a fingerprint or through face recognition. The other day, Microsoft announced that the upcoming version of the biometrics-based authentication system will be FIDO2 certified, and although support is still somewhat limited, the developer of the world's most ubiquitous operating system is trying to prove that living with Windows Hello can be a reality. In CNBC's interview, Bret Arsenault said that 90% of Microsoft's 135 thousand employees access the corporate network without entering a password. This, Microsoft's CISO reckons, is a step towards a "passwordless future".

Should you do what Microsoft does?

Companies like Microsoft wouldn't be where they are today if it weren't for some extremely clever people working for them. These people have said that users should rely on passwords as little as possible, and you should definitely listen to them. You should also realize, however, that the "passwordless future" that Microsoft execs are talking about is still a very distant concept.

Indeed, biometric authentication mechanisms are becoming more and more widespread, especially on mobile devices. That said, experts continue to find security flaws in them which means that not everyone is ready to fully embrace them. What's more, while unlocking your smartphone or computer through biometrics is now possible, you are still most likely forced to use a traditional password for logging in to your online banking and email accounts via a browser.

In other words, despite all the optimism coming from Microsoft's top brass, you are still more or less stuck with the password. What's more, there's no telling when this might change which means that you should think about improving the way you treat your login credentials. A solid password management solution should be a good start.