A few days ago, Microsoft announced they are enabling Passwordless for anyone using a consumer Microsoft Account. The feature will be rolled out over the coming weeks. We would like to thank Microsoft for sharing our vision of a future freed from passwords. This marks a giant leap forward in the mission to create a passwordless world.
We can imagine Microsoft’s internal cheering as their consumer base goes passwordless. The Risk Management team’s satisfaction with each enrollment. The knowledge that there is one less phishing target, one less password valid in the wild.
We see the same revelation and relief in HYPR customers. The threat landscape may be shifting and changing for their business but passwordless MFA eliminates their biggest target. Risk mitigated for the user and risk mitigated for the business.
The move by Microsoft has an impact beyond consumer user experience and security posture. Adoption of passwordless is a shift in user behavior, an acceptance of devices and native biometrics as the preferred way to authenticate.
What This Means for the Enterprise
Microsoft bringing passwordless to their consumers will help everyone better understand the value, effectiveness and necessity of authentication that removes the riskiest factor of all — the password.
Microsoft’s consumers are your employees and customers. By exposing their many, many millions of consumers to passwordless authentication, Microsoft will lower the bar to adoption and education of this new user experience. Authentication via smartphone or FIDO2 enabled device (Windows Hello, Mac Touch ID, IPhone Touch ID or Face ID, Android Native Biometric Sensors) will become second nature. Your workforce and customers will expect the simplicity of passwordless authentication that they enjoy as a consumer user.
While this is a great milestone for Microsoft consumers, enterprises have complex environments with Cloud, Hybrid Cloud, on-premises software, Zero Trust initiatives and other specialized requirements. The challenge to mimic Microsoft’s approach is cumbersome at best, unattainable at worst. HYPR was purpose built so that both small and large enterprises can provide their users with highly secure passwordless authentication that matches the consumer-type experience of a Microsoft, Apple or Google Services.
The Microsoft passwordless options announced include the Microsoft Authenticator app, Windows Hello, a security key and SMS or emailed codes. Those of you familiar with FIDO2 standards or best practices for multi-factor authentication will recognize that SMS or emailed codes are vulnerable to phishing and Man in the Middle (MitM) attacks. We recommend that consumer users of Microsoft Account use the Microsoft Authenticator app or security key options when possible.
Bringing Passwordless Everywhere
Microsoft’s announcement follows one by Apple at their annual developer conference about their upcoming Passkeys feature based on FIDO2 WebAuthn standards.
At HYPR, creating a true passwordless world is our founding mission. Advocacy for passwordless adoption from vendors like Microsoft brings us all closer to that goal. HYPR is a member of the Microsoft Intelligent Security Association (MISA), a consortium of experts from across the cybersecurity industry with the shared goal of improving customer security and confidence with digital services.
Thinking about taking your company passwordless and need to get stakeholder support? Watch our upcoming webcast on How to Convince Your Board to Go Passwordless.