ALPS blog

By Richard Werner, Business Consultant

On 15 September 2021, Microsoft announced the general availability of the passwordless account. As with all changes that involve a massive shift in security habits, it is worth questioning how sensible this development is.

Human habits

We can spin it any way we want – people love their rituals. But passwords seem to be an exception. There is probably no one who has not sat in front of their computer screen in despair, trying to remember the correct spelling of an old password. It is also not uncommon to find Postix on monitors or in desk drawers with cryptic expressions. The more complex passwords are required the less people can remember them. So we go about making our lives easier and use patterns, such as the name of the application, replacing letters with numbers or special characters (T3en4M!cr0), or we bypass security restrictions. There are cases where employees changed their passwords twenty times in a row on the day they were requested to do so, only to use the same old password again.

Remembering passwords is a constant challenge, and yet we have been told at every available opportunity that strong passwords are crucial – and rightly so.

Without a password?

Inevitably, Microsoft’s announcement will be met with suspicion. Is this essential security barrier suddenly invalid? From a security point of view, one has to say: at least partially. Firstly, the fundamental challenge, which has so far been solved via passwords, has not changed, because some people still try to gain unauthorised access to content or systems. Access control of any kind is therefore still necessary. It is merely being replaced by other authentication procedures. But that alone is a positive development.

Secondly, with any authentication method, there must be someone/something on the other side to confirm the identity. Similar to how passports are issued and registered by the government, this is now done for online identity. Instead of a government agency, it is a private company.

Therefore, there will most likely be no general authentication, but rather different procedures, each of which must be coordinated individually with the respective service providers. Who knows or confirms which identity will depend on whether this happens in a corporate or private context. Large companies like Microsoft have an advantage here. By providing many, sometimes indispensable, services, they will automatically obtain a large part of the identity authority and may be able to enforce it in service offerings from smaller providers.

The password from an IT security perspective

The theft and sale of digital identities such as login data and passwords is the most booming underground business model. Under the keyword “Access as a Service”, there are ready-made system accesses or simply said login data – depending on price and possibility. Also, the most and most dangerous malware variants usually contain a component for tapping passwords – be it by brute force using pattern recognition or by recovery tools (e.g. Mimikatz). Eliminating passwords leads to a significant improvement in security for potential victims in current attack scenarios. Therefore, from a security point of view, it is definitely to be advocated!

Does this mean the end of cybercrime? Certainly not. The technique of gaining access without a password and taking over identities directly, as well as cracking two-factor authentication, is known and confirmed in proof of concept models. However, these methods are expensive and time-consuming for the attackers. Therefore, they are rarely used. The more companies in particular abandon the use of passwords, the harder it will be for cybercriminals to continue using the current models. This certainly gives a modern company some breathing space in the current situation. It is not a substitute for a sensible security solution, especially the use of overarching detection & response (XDR) procedures.