Microsoft could soon be “password free”

As each New Year rolls by, someone somewhere usually predicts the death of passwords as a trend for the coming months.

Every year so far, they’ve been proved wrong – somehow passwords cling on despite an exhausting list of maladies, mostly to do with how easy they are to forget, steal and misuse.

The moral would seem to be never to listen to predictions about passwords. However, post-Christmas comments by Microsoft chief information security officer Bret Arsenault offer a small but tantalising sign that the password age might finally be nearing its end.

The evidence is usage figures for Windows Hello, the company’s technology for authenticating Windows users using facial recognition.

Launched in 2015 as part of Windows 10, Arsenault said that Hello was now the default way for the company’s 125,000 employees to log into computers.

The majority of Microsoft employees already log in to their computers using Windows Hello for Business instead of passwords. Very soon we expect all of our employees will be able to go completely password free.

No surprise that Microsoft might champion its own security technology, but Arsenault goes on to make an argument for replacing passwords that will strike a chord among professionals who manage credentials.

For several decades, the industry has focused on securing devices […] but it’s not enough. We should also be focused on securing individuals. We can enhance your experience and security by letting you become the password.

Whatever one thinks of Windows Hello, or biometrics in general, his observation sounds fair.

Passwords were created for a world of devices and systems, not one in which the need to verify a person’s identity in real time using something more substantial than a string of characters has become pressing.

One view is that multi-factor authentication (MFA) does this without the need to abolish passwords completely but the counter argument is that leaving passwords in place is both unnecessary, complicated and needlessly insecure.

Better the clean break with the past. As Microsoft says in its Hello marketing spiel – “you are the password.”

A caution is that while facial ID systems abolish passwords – unique data hopefully known only to the user – they don’t abolish the fact that discrete data must ultimately underpin this.

In the case of Hello, that’s biometric data, which has to be stored somewhere, which Microsoft recently made clear should be inside a Trusted Platform Module (TPM) chip.

As November’s scare over Infineon TPMs reminded us, these are not invulnerable. Changing a compromised password is hard enough but doing the same for a lost face, finger or voice print might be impossible.

Nor, ironically, has Hello itself been immune from security worries, such as the recent research that found that it could be spoofed by nothing more complicated than a specially-made infra-red photograph of the account holder.

Ironically, the research served to underline how hard it would be to defeat Hello under real-world conditions.

Getting hold of a high-definition IR photograph of an account holder wouldn’t be trivial, while some of the technical weakness revealed by the attack were connected to the immaturity of the camera hardware Hello needs for facial recognition (some don’t support Hello’s advanced anti-spoofing).

It could be the cost and maturity of facial recognition cameras that presents the biggest barrier to Hello, not a reluctance to let go of passwords.

As Microsoft notes:

Already, roughly 70 percent of Windows 10 users with biometric-enabled devices are choosing Windows Hello over traditional passwords.

Which perhaps begs the question of why 30% of users who’ve invested in a camera aren’t using it with Hello.

Perhaps what will unshakle users from passwords will be a patchwork of biometric systems (see Apple’s Face ID as a leading contender), of which Hello will only be one. However much security this claims to add, it won’t necessarily be simpler or cheaper for users.

Will anyone miss passwords when they eventually disappear? That seems unlikely, but at that probably far off moment there will be plenty of people feeling very nostalgic for the simpler world they served.