Microsoft recognized World Password Day on Thursday by touting its progress in making fallible logon technology obsolete. In the past six months, the number of people who use Microsoft's services but have dumped logon passwords has risen by half to 150 million.
What's the alternative to traditional usernames and passwords? Microsoft now offers three no-password logon options for its online services on Windows machines: a hardware security key combined with Windows Hello face recognition technology or fingerprint ID; a hardware key combined with a PIN code; or a phone running the Microsoft Authenticator app.
Most of the people who dumped passwords are among the 800 million consumers using Microsoft consumer services like Outlook.com and Skype, but a chunk of the billion people at businesses using Microsoft logon technology have also dropped the insecure practice of memorizing strings of letters, digits and special characters, says Joy Chik, Microsoft's corporate vice president for identity technology.
"It's both secure and has the best experience," she said of the reasons for moving to a passwordless authentication. Among Microsoft's 150,000 or so employees, 90% have dumped passwords for their own authentication, she added.
World Password Day, observed on Thursday, is often used to prod us into better password security practices. But with post-password technology now maturing, we have a chance to leave behind a computer authentication technology that's actually become a weak link in security.
There are plenty of password problems. Because we reuse passwords, hackers can often crack into multiple sites if they grab the credentials to one. A good password from the perspective of computer security -- long, unique and unguessable -- happens to be the hardest for humans to memorize and type. Password managers can help us cope with passwords to dozens or hundreds of online services in our lives, but they're complex.
FIDO standard helps with passwordless logon
New authentication techniques like hardware security keys and biometrics enable two-factor authentication without having to remember a password. New standards like FIDO -- short for Fast Identity Online -- make it easier for device makers and websites to embrace passwordless logon. And with passwordless authentication, companies and consumers don't have to worry as much about hackers stealing troves of login data.
Hardware security keys aren't perfect -- they can get lost, too. Enrolling keys -- primary and backup at least -- is tedious at best for multiple accounts. But the technology is maturing, and it's important to balance the problems of passwordless logon with the problems we already face today, said Stina Ehrensvärd, co-founder and chief executive of Swedish company Yubico.
"I can lose my phone, too," she said. That's why she recommends having multiple logon options.
Better logon security has become a higher priority with so many more people telecommuting because of the coronavirus, the COVID-19 pandemic it's caused, and the widespread orders to work from home. Companies and governments are now racing to modernize logon, Ehrensvärd said.
"Things that took months now take three weeks," she said, with customers demanding overnight key shipments. Yubico has now sold more than 10 million of its Yubikey hardware security keys, a rate growing about 60% to 70% annually. "The remote workforce is pushing this new reality."