Cyber Signals: Shifting tactics fuel surge in business email compromise
Business email operators seek to exploit the daily sea of email traffic to lure victims into providing financial and other sensitive business information.
Nobody likes passwords. They are inconvenient, insecure, and expensive. In fact, we dislike them so much that we’ve been busy at work trying to create a world without them – a world without passwords.
In this blog, we will provide a brief insight into how we at Microsoft think about solving this problem, along with details on solutions that you can try out today.
When we think about creating a world without passwords, we want to deliver on two key promises:
At its core, our fundamental philosophy is simple: devalue the password, and replace it with something that eradicates its use for the end user and drains its value for an attacker.
Passwords have been a big part of our digital lives. To fully get rid of them, not only do we need to address all that is bad with them, we also need to acknowledge all that is good; they are familiar, portable, and can be used almost everywhere.
Figure 1. Passwords – Pros vs cons
So how are we going about it? Well, we break this up into discrete buckets:
Figure 2: Passwordless strategy
Here’s a quick overview of some of the solutions that you can try out today and how they map to the strategy above.
Here’s a video that provides a quick overview of Windows Hello, how it is more secure than passwords, and some of newest enhancements.
Windows Hello is being used by over 47 million users worldwide. More than 5,000 businesses have deployed Windows Hello for Business, with adoption on over one million commercial devices.
For more details, refer to www.aka.ms/whfb.
Windows Hello is an excellent replacement for passwords on personal PCs. That said, we acknowledge that there are many scenarios that involve shared PCs used by transient users and that provisioning Windows Hello is not ideal. To that end, we are working hard on lighting up a series of portable credentials that are more suitable for such shared PC scenarios.
The Microsoft Authenticator app enables users to authenticate to their Microsoft account using their mobile phone. It is built on similar secure technology that Windows Hello uses, and packages it into a simple app on your mobile device.
To download the app and learn more, go to Microsoft Authenticator.
Windows Hello and our mobile Authenticator app are both great alternatives to passwords. But to create a world without passwords, we need an interoperable solution that works across all industry platforms and browsers.
Microsoft has been aligned with the Fast Identity Online (FIDO) working group from the start. The alliance represents 250 organizations from various industries on a joint mission to replace passwords with an easy-to-use strong credential. With the recent ratification of FIDO2 security keys by the FIDO working group, we’re updating Windows Hello to enable secure authentication for many new scenarios.
Among many new and exciting features in the Windows 10 April 2018 Update, we set out with the goal to deliver an end-to-end product experience that’s passwordless ready. With Windows 10 in S mode, we are enabling our cloud users (Microsoft Account or Azure Active Directory) to be able to go through the entire life-cycle of using their Windows 10 PC with S mode enabled without ever having to enter their passwords. That’s right. Here’s how you can try it out.
Note: Upgrade your default way of authenticating from using password to the Microsoft Authenticator app by clicking the “Use the Microsoft Authenticator app instead” on the login page.
Figure 3: Select Microsoft Authenticator as default sign-in option
Note: If you are prompted for a password on this screen, click the “Use the Microsoft Authenticator app instead” link.
Figure 4: Windows 10 S OOBE with Microsoft Authenticator app
Figure 5: Windows Hello provisioning
Figure 6: Access apps and websites seamlessly
Figure 7: No passwords under Sign in options for Windows
To review, you will be able to set up a brand-new device, provision Windows Hello, log in, lock/unlock, use your favorite apps and websites without ever having to enter a password!
But wait, there’s more!
FIDO2 Security keys allow you to carry your credential with you and safely authenticate to an Azure AD-joined Windows 10 shared PC that’s part of your organization. A user can walk up to any device belonging to the organization and authenticate in a secure way – no need to enter a username and password or set-up Windows Hello beforehand.
See how it works in this video:
The Windows Hello FIDO2 Security Key feature is now in limited preview. Please let us know if you would like to be added to the waitlist.
While we still have a way to go before we can claim victory, with the incredible lineup of products and features in our portfolio along with those in the works, we are confident that we will get there soon. Please send us your comments, questions, and feedback at pwdlessQA@microsoft.com.
Principal Group Program Manager, Enterprise & Security