Virtualization Technology News and Information
Despite What Microsoft Says, Passwords Aren't Going Away Any Time Soon

password login 

By Marcus Kaber, CEO Specops Software

Passwords are a double-edged sword in day-to-day life. On the one hand, passwords serve a vital purpose: they defend our sensitive information against bad actors who would steal it. With more of our lives moving online, especially in the age of COVID-19, securing our information has become more important than ever before. 

Yet on the other hand, juggling multiple passwords to our accounts can be frustrating. Many of us have had to change a password due to forgetting it, which can then require us to recall our answers to quirky security questions to reset it. At least your third-grade teacher would be proud of you for remembering them all these years later.  

At Microsoft's Ignite conference last March, the company announced that a passwordless login would now be a standard feature for Azure Active Directory (AD). Azure AD integrates with multiple "passwordless" authentication options, like Microsoft's Authenticator app. 

Getting rid of passwords may seem like a great idea, but realistically, Microsoft's announcement just means that users will be required to use passwords less often. The following three reasons prove why passwords are here to stay for a while. 

Reason 1: Hybrid directory will continue to dominate - Passwords will continue to persist for the vast majority of organizations that are dependent on Active Directory. Gartner states, in their Implement IAM Best Practices for Your Active Directory report, that over 90% of organizations worldwide are using Active Directory (AD) and that by 2025 less than 3% of large to mid-size organizations will completely migrate from AD to a cloud-based directory. Most will continue to operate in a hybrid model - connecting Active Directory to a cloud directory like Azure AD.  The dependency on Active Directory continues for services like email, file sharing, applications that rely on Kerberos, etc.  While organizations have accelerated cloud spending to support digital business models and enable employees working remotely, adoption has been focused on SaaS solutions. Access and authentication to SaaS services is being primarily managed through hybrid deployment models and not a complete replacement of Active Directory.    

Reason 2: Passwordless methods still rely on passwords in the background - Passwords continue to be the failsafe method for various services that market themselves as passwordless.  For example, Microsoft announced that passwords can be removed from the Windows login with Windows Hello for Business. Windows Hello for Business relies on a pin number and can also include bio-metric login. When a user cannot use the biometric hardware and forgets their PIN, they need their Active Directory password in order to reset it. Windows Hello for Business has also struggled to gain a large-scale foothold due to hardware dependencies and enrollment challenges.  

Reason 3: Cybersecurity risks associated with passwordless - Microsoft uses Temporary Access Pass to provide a time-limited passcode that can be used to enroll in another authentication. The Temporary Access Pass is also used when a user loses or forgets their strong authentication factor and needs help resetting. Just like when users forget passwords or are locked out of their accounts due to an expired password, getting a temporary access code will require a call to the IT service desk. The unsettling reality is that these calls introduce risk as the IT service desk lacks secure user verification. This means that agents can fall victim to social engineering which can result in an attacker taking over an account. 

Password security remains key

Weak passwords continue to be a major security risk for organizations of all sizes. Verizon's 2020 Data Breach Investigations Report shows that brute-force attacks or the use of lost or stolen credentials comprised 81 percent of hacking breaches. Setting password management parameters can help organizations decrease the risks of feeble passwords. 

Organizations that want dependable passwords can establish a firm foundation for password security by taking the following steps: 

  • Mandating longer and stronger passwords
  • Securing self-service and IT service desk-enacted password resets and unlocks
  • Continually detecting, removing and blocking leaked passwords

While dependence on passwords can now be minimized for logging into Azure AD, we are a long way away from going completely passwordless. That's why securing in-use passwords today remains extremely important.  



Marcus Kaber 

Marcus Kaber has been guiding the strategic direction of Specops Software as the Chief Executive Officer since 2012. He is passionate about making Specops an attractive company to do business with, whether that means as a customer, a partner or for the growing team of engaged colleagues that make Specops what it is. Marcus honed his coaching skills on the basketball court and is currently Sweden's biggest Yankees fan.

Published Wednesday, May 12, 2021 7:32 AM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<May 2021>