How Microsoft can assist you go passwordless this World Password Day

It’s that point of yr once more. World Password Day is May 4, 2023.¹ There’s a purpose it’s nonetheless going robust 10 years after being created by cybersecurity professionals. A current examine that analyzed greater than 15 billion passwords discovered that the highest 10 hottest passwords nonetheless embody easy-to-crack mixtures like “123456” and “qwerty.”² With that stage of safety, many organizations are primarily leaving the entrance door open. Sharing your password for a streaming service could seem innocent (their accountants would possibly disagree), however this habits generally bleeds into the office, the place weak or shared worker passwords typically grow to be one of many largest safety menace vectors that corporations face.

In 2022, Microsoft tracked 1,287 password assaults each second (greater than 111 million per day).³ Phishing is an more and more favored assault methodology, up 61 % from 2021 to 2022.⁴ And our information for 2023 exhibits that this development is constant. Passwords ought to play no half in a future-looking credential technique. That’s why you don’t want a password for Microsoft Accounts—a whole lot of hundreds of individuals have deleted their passwords utterly.⁵

For stronger, streamlined safety, Microsoft passwordless authentication can assist your group get rid of password vulnerabilities whereas offering simplified entry throughout your whole enterprise. In honor of World Password Day, this weblog will make it easier to make the case to your group that when it’s time to “verify explicitly” as a part of a Zero Trust technique, fashionable robust authentication utilizing phishing-resistant passwordless credentials present the most effective safety and a very good return on funding (ROI).

Go passwordless for simplicity, safety, and financial savings

If you’ve learn my weblog on why no passwords are good passwords, you already know my emotions on this topic. To quote myself: “Your password isn’t terrible. It’s definitely terrible, given the likelihood that it gets guessed, intercepted, phished, or reused.” As Microsoft Chief Information Security Officer Bret Arsenault likes to say, “Hackers don’t break in—they log in.”

Passwords alone are merely not adequate safety. Old-fashioned multifactor authentication bolts a second issue onto a password so as to add a layer of safety, however the most well-liked of those—telephony—can also be probably the most problematic (see my weblog about hanging up on telephone transports to know why telephony is a poor choice for multifactor authentication). Even with robust strategies, like utilizing Microsoft Authenticator to enhance a password, you continue to have the vulnerability of the password itself. The greatest password isn’t any password—and you will get there in the present day with Windows Hello, safety keys, or, my favourite, Microsoft Authenticator.

Figure 1. Identity safety strategies aren’t made equal; sure protections are far safer than others.

In 2022, Microsoft dedicated to the following step of constructing passwords a factor of the previous by becoming a member of with the FIDO Alliance and different main platforms in supporting passkeys as a frequent passwordless sign-in methodology. Passkeys goal to not solely exchange passwords with one thing extra cryptographically sound, however that’s additionally as simple and intuitive to make use of as a password. Passwordless know-how, equivalent to Windows Hello, that’s based mostly on the Fast Identity Online (FIDO) requirements, strengthens safety by doing the verification on the machine, moderately than passing consumer credentials by way of an (typically susceptible) on-line connection. It additionally gives a simplified consumer expertise, which can assist enhance productiveness as properly.

That was the objective when longtime Microsoft collaborator Accenture determined to simplify their consumer expertise by eradicating the requirement for password authentication. With 738,000 staff unfold throughout 49 nations, the corporate determined it was in its greatest curiosity to make their identification and entry administration (IAM) automated and straightforward. Accenture selected the Microsoft Authenticator app, Windows Hello for Business, and FIDO2 safety keys as its passwordless authentication options. As described of their case examine, the outcomes are already being felt: “The adoption of passwordless has led to faster login times, more reliable experience, fewer failed authentications, and improved overall security posture.”⁶

Whether you’re a part of a world group like Accenture or a small startup, the authentication strategies coverage in Microsoft Azure Active Directory (Azure AD)—now a part of Microsoft Entra—permits your IAM group to simply handle passwordless authentication for all customers from a single pane of glass. Even higher, a current Forrester Consulting examine discovered {that a} composite group based mostly on interviewed clients securing its enterprise apps with Azure AD benefited from a three-year 240 % ROI (a web current worth of USD8.5 million over three years) whereas lowering the variety of password reset requests to its assist desk by a big 75 % yearly.⁷

Multifactor authentication can’t do all of it

A 2021 report by the Ponemon Institute discovered that phishing assaults have been costing giant United States-based corporations a mean of USD14.8 million yearly.⁸ That’s manner up from 2015’s determine of USD3.8 million. Microsoft alone blocked 70 billion electronic mail and identification assaults in 2022. But on the constructive aspect, multifactor authentication has been proven to cut back the danger of compromise by 99.9 % for identification assaults.⁹ That’s a fairly stellar statistic, however it’s not bulletproof; particularly when contemplating that SMS is 40 % much less efficient than stronger authentication strategies.¹⁰ Attackers are all the time studying and improvising, as proven within the rise of multifactor authentication fatigue assaults. In one of these cyberattack:

1. The menace actor makes use of compromised credentials (typically obtained by way of a phishing assault) to provoke an entry try and a consumer’s account.
2. The try triggers a multifactor authentication push notification to the consumer’s machine, equivalent to “Did you just try to sign in? Yes or no.”
3. If the focused individual doesn’t settle for, the attacker retains at it—flooding the goal with repeated prompts.
4. The sufferer turns into so overwhelmed or distracted, they lastly click on “yes.” Sometimes the attacker may also use social engineering, contacting the goal by way of electronic mail, messaging, or telephone pretending to be a member of the IT group.

One extensively publicized multifactor authentication fatigue assault occurred in September 2022, when an 18-year-old hacker used the compromised credentials of a contractor to achieve entry to a serious rideshare firm’s inside networks. Once inside, he was in a position to entry tokens for the corporate’s cloud infrastructure and demanding IAM service. Our analysis was forward of one of these assault again in 2021 after we constructed multifactor authentication defenses into the Authenticator app, together with quantity matching and additional context. To be taught extra, remember to learn my weblog put up: Defend your customers from multifactor authentication fatigue assaults.

All identification safety rests on Zero Trust

Zero Trust is simply one other manner of describing proactive safety. Meaning, it’s the measures it is best to take earlier than dangerous issues occur, and it’s based mostly on one easy precept: “Never trust; always verify.” In in the present day’s decentralized, bring-your-own-device (BYOD), hybrid and distant office, Zero Trust gives a robust basis for safety based mostly on three pillars:

• Verify explicitly: Authenticate each consumer based mostly on all obtainable information factors—identification, location, machine well being, service or workload, information classification, and anomalies.
• Use least-privilege entry: This means limiting entry in line with the consumer’s particular function and job. You must also apply risk-based insurance policies and adaptive safety to assist safe your information with out hindering productiveness.
• Assume breach: This permits your safety group to reduce the blast radius and stop lateral motion if a breach happens. Maintaining end-to-end encryption and utilizing analytics may also strengthen menace detection and enhance your defenses.

And in relation to “verify explicitly” as a part of Zero Trust, no funding within the area of credentials is best than a passwordless journey; it actually strikes the goalposts on the attackers.

May the Fourth be with you all!

Security yr spherical

At Microsoft Security, we consider safety is about folks. Empowering customers with robust, streamlined entry from wherever, anytime, on any machine is a part of that mission. Learn extra about Microsoft passwordless authentication and the way it can assist your group get rid of vulnerabilities whereas offering quick, protected entry throughout your whole enterprise.

To be taught extra about Microsoft Security options, go to our web site. Bookmark the Security weblog to maintain up with our skilled protection on safety issues. Also, observe us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the most recent information and updates on cybersecurity.

¹World Password Day, National Day Calendar.

²Most frequent passwords: newest 2023 statistics, Paulius Masiliauskas. April 20, 2023.

³Microsoft Entra: 5 identification priorities for 2023, Joy Chik. January 9, 2023.

⁴Over 255m phishing assaults in 2022 up to now, Security Magazine. October 26, 2022.

⁵The passwordless future is right here on your Microsoft account, Vasu Jakkal. September 15, 2021.

⁶A passwordless enterprise journey, Accenture.

⁷The Total Economic Impact™ of Microsoft Entra, a commissioned examine performed by Forrester Consulting. March 2023.

⁸New Ponemon Institute Study Reveals Average Phishing Costs Soar to $14.8M Annually, Nearly Quadrupling Since 2015, GlobeNewswire. August 17, 2021.

⁹17 Essential multi-factor authentication (mfa) statistics [2023], Jack Flynn. February 6, 2023.

¹⁰How efficient is multifactor authentication at deterring cyberattacks? Lucas Meyer, et al. May 1, 2023.