The reasons to eliminate passwords are endlessly compelling and all too familiar to every enterprise IT organization. Passwords are insecure. Inconvenient. Expensive. Nobody likes them. [insert your preferred reason here]. Even Satya Nadella has said, “One of the biggest security issues is passwords.”
But for our Chief Information Security Officer, Bret Arsenault, the commitment to make Microsoft a password-less organization goes beyond imperative justification. To Arsenault, his quest to get rid of passwords is about providing a delightful end-user experience where users never have to deal with passwords in their day-to-day lives—attached with a security promise that user credentials will not be cracked or breached.
“I’m on a mission to end the use of passwords at Microsoft,” announced Arsenault in a recent feature of Enterprise Security magazine as he talked about how he and his team are deploying this leading-edge approach. In the article, Eliminating Passwords: The Journey, Arsenault candidly pointed out that the user authentication experience for employees has been less than desirable throughout the ever-evolving enterprise security journey. And as important as keeping the enterprise secure is—especially in the midst of the hyper-connectedness of digital transformation—it is just as imperative to him and his team to deliver a seamless and pleasant user experience.
How Microsoft is thinking about it
At last year’s Ignite, Senior Program Manager for Windows, Karanbir Singh shared the steps Microsoft has taken so far to eliminate passwords altogether. Balancing usability with security can certainly be a daunting task for any organization. But with the partnership of FIDO Alliance, the latest Microsoft biometric technologies, a true desire to transform the user experience and a caffeinated team leading a visionary strategy, Microsoft is getting closer every day to embracing a password-free cornucopia.
Partnering with the Windows team, the journey began with developing a password replacement offering with Windows Hello for Business in Windows 10 and the Microsoft Authenticator app. Then, by upgrading line of businesses (LOBs) and web apps to use modern authentication with Windows 10 Web Account Manager, Microsoft Authentication Library (MSAL), Azure Active Directory authentication, and Single Sign-On, they were able to deploy an experiment where they disabled some of the authentication settings so password credential providers would not show up. The premise being, that if they took a few users and changed their regular password to a 128-character random password, they could monitor whether the end user even noticed that their password had been changed. By reducing the user-visible password surface area, the team was able to quickly find shortcomings, identify where things broke and implement a way to fix them.
Today, biometric technology is providing two-thirds of Microsoft employees with a simple authentication method (backed up with a PIN) that is always with them. No more 8-character long, letters, numbers, symbols, forgettable passwords! In addition to this enhanced user experience, the enterprise is now more secure because the multi-factor authentication process is “making it more difficult to steal a person’s identity,” explains Arsenault. The attacker must have both the device and biometric info or PIN in order to access data. With biometrics, the user is the credential.
Creating a place where users don’t have to think about passwords anymore is not too far from the near future at Microsoft and other organizations that, like Microsoft, are leveraging digital transformation and cloud computing to deliver the best of both worlds: consumer-grade user experience married with enterprise-grade security.
“There is a process for incorporating this technology across our organization and that requires some time, which is why we’re not totally password-free yet,” observed Arsenault. “[But] I truly believe that the effort involved is worth the work because the final results deliver tangible benefits”.
Better security and decreased operational costs are just two of those tangible benefits Arsenault is referring to. A happy end user who is willing to follow the process is a major intangible one. And that’s an invaluable benefit to any team and organization.