Microsoft is killing passwords one announcement at a time

Microsoft’s quiet campaign to abolish passwords reached another milestone yesterday with the announcement that Windows 10 and Office 365 users can now log in to Azure AD applications using only the Authenticator App.

The change is so simple it makes you wonder why passwords have seemed so fundamental for so long.

Currently, Windows 10 and Azure AD users log into their Microsoft accounts using an email address and password, which (if it is turned on) requires authentication via one of a number of two-step verification options (such as SMS, or a code generated by the Authenticator app).

Now, once the user has logged in for the last time to enable the feature, all future logins happen by entering the user name and approving a notification that pops up on the Android or iOS Authenticator app.

Approve that and the login is confirmed using the smartphone’s fingerprint reader, facial recognition or PIN – all without a password in sight.

It’s very similar to Microsoft’s Windows Hello face ID authentication, but without the need to own an expensive high-resolution camera. It’s also a bit like Google’s Prompt, which approves logins using push notifications but only after the user has already entered their username and – of course – an account password.

Clearly, Microsoft has decided that the app residing on the smartphone is now ready to become the primary factor whereas Google is evolving in that direction but hasn’t yet decided to make the final jump.

The benefits of Microsoft’s new app authentication are twofold:

  1. Phishing attacks will be unsuccessful because access no longer depends on stealable passwords.
  2. While no more secure than the best types of multi-factor authentication, it is quicker (i.e. no codes to generate, or physical tokens to fumble with).

A possible downside is that it depends heavily on the first factor – the smartphone app – and smartphones aren’t always well secured from physical access if they’re stolen or lost.

The app asks the user to confirm each login using whichever security mechanism is being used by the smartphone itself. On an iPhone that would be Face or Touch ID, while on Android that would be Google’s less battle-hardened equivalents, or perhaps even a simple four-digit PIN code.

Shifting the weak point to the device

For sure these will improve over time but anyone who wants to turn on Authenticator access to their Microsoft account now should assess the security of their smartphone first. While it’s true that simple password and username access is even less secure, it could be argued that abandoning the password completely simply shifts the weak point to the device.

Another emerging approach that adds a greater level of security is to keep the authentication part of the process on a separate physical token such as the YubiKey, version 5 of which was released this week.

This adds FIDO2/WebAuthn support, an emerging standard that can also be used in a passwordless single-factor way. The main advantage of WebAuthn is that it supports lots of websites and not only Microsoft’s.

Whichever gains traction (and Microsoft also supports WebAuthn by the way), users could be entering a strange world where one factor starts becoming better than two for many people.