Eliminating Passwords: The Journey
By Bret Arsenault, CVP & CISO, Microsoft
According to one estimate, the average person has 27 online accounts with user names and passwords. Choosing the right password is as confusing as trying to remember dozens of passwords—it should be complex, more than 8 characters long, it should use letters, numbers and symbols, it shouldn’t be a dictionary word, it shouldn’t be something that anyone else can guess, you should change your passwords frequently, you shouldn’t use the same password for multiple accounts. The list goes on.
"Using biometrics as part of the multi-factor authentication process boosts security by making it more difficult for hackers to steal a person’s identity"
All of these complicated rules lead users to try and create passwords that are easier to remember, but frequently that makes them easy for attackers to guess. And, hackers are taking every advantage of this weakness. One security industry report notes that 81 percent of hacking-related breaches leveraged either stolen and/or weak passwords. As the Chief Information Security Officer of Microsoft, this represents a huge problem for me. The good news is, I love challenging problems. And, I’m on a mission to end the use of passwords at Microsoft.
Many years ago, when we started seeing the growing sophistication of hackers and their unfortunate success in breaking into the networks of big, consumer-name companies, we started a journey to find a better way to secure our employees. We knew that multi-factor authentication was a smart approach. Initially, we used physical smart-cards. This kind of authentication is much more secure, but it still didn’t give people a smooth user experience. Additionally, the smart-cards require infrastructure (a card reader in each hardware device) which can be challenging to implement. Further, while smart-cards are more secure, they are still prone to being lost or forgotten.
To side-step the usability challenges of smart cards, we’ve now started a journey focusing on a nearly-friction-free experience, from using nature’s most unique characteristics: biometrics. There are a range of biometric-based technologies that allow people to use fingerprints, iris scans, facial recognition and even heartbeats to authenticate their identity. These technologies are easier to use, more accessible for the needs and preferences of the person and are significantly harder for criminals to exploit. We can leverage the same technology of a smart-card but use the person’s biometric identifier as the equivalent of a 4 or 6-digit PIN.
Using biometrics as part of the multi-factor authentication process boosts security by making it more difficult for hackers to steal a person’s identity. The criminal would need both the user’s device and their biometric to access data. The biometric image is never stored on the device. The technology we use converts the biometric image to a numeric representation that is irreversible and secured on the device, so the identity of the person is always within their control.
Right now, about two-thirds of the people at Microsoft have the ability to log into our network by using a biometric identifier. There is a process for incorporating this technology across our organization and that requires some time, which is why we’re not totally password-free yet. It’s worth noting that this approach only works when there is a deep integration between the hardware and the software. I truly believe that the effort involved is worth the work because the final result is a delivers strong, tangible benefits: 1) a great user experience (which means that people will actually follow the procedure); 2) it drives operational costs down because there are fewer (or zero) calls to the help desk for resetting passwords and 3) better security!
We’re not the only company on this journey. We’re collaborating with our peers within the technology industry via the Fast IDentity Online (FIDO) Alliance to help propel the adoption of this approach more broadly. We’ve built a blueprint for the technology and shared it with hundreds of companies, some of whom are rolling out the technology now. Companies who are interested in adopting this approach should work with FIDO to learn more. We are optimistic that this innovation will become more widely adopted and as it is deployed more, people will be safer.
It’s worth noting that there is no single security step that will protect you or your business from everything, including eliminating passwords. It’s imperative that businesses and individuals update their software regularly and ideally, use operating systems that update automatically. Everyone should practice safe online habits and hygiene, avoid clicking on emails, links and attachments from unknown sources and backup all their data.
I will continue on my quest to eliminate passwords. In addition, I will also continue to work for solutions to security problems that offer as much promise as our hope for getting rid of passwords: a better user experience and a superior level of security. It’s a good thing and I like hard challenges.