Microsoft Advises All Users to Abandon Password Use - Explanation Given
In a significant move towards enhancing digital security, Microsoft has announced plans to transition from traditional passwords to passkeys for its users. This shift comes as a response to the numerous vulnerabilities associated with passwords and the emergence of passkeys as a more secure alternative.
The security breach at McDonald's, where sensitive job applicant data was accessed using the notoriously weak password '123456', underscores the need for improved password security. According to Nordpass's annual list, '123456' is the worst password in use worldwide, with '123456789' and 'password' also making the list of the most insecure passwords.
Microsoft's decision to delete saved passwords within its Authenticator app and transition to passkeys only is a reflection of the growing recognition that passwords, despite being widely used, are far from ideal. Two-factor authentication (2FA), while a step in the right direction, has its own vulnerabilities, as it can be intercepted or shared and increasingly, bypassed.
Passkeys offer a more secure authentication method, addressing many traditional password vulnerabilities. They are inherently resistant to phishing attacks, as users do not type in a secret that can be intercepted or tricked out of them. A passkey is cryptographically tied to the legitimate site, preventing impersonation.
Another significant advantage of passkeys is the elimination of the need for password reuse, a major security hazard where a breach on one site compromises others. Passkeys are unique per website or app and cannot be reused elsewhere.
Passkeys also offer strong protection against guessing and theft, as they involve cryptographic key pairs securely stored on the user’s device. They do not get transmitted in plaintext and cannot be intercepted or phished.
Users do not have to remember complex passwords or rely on insecure password management habits with passkeys. Instead, they leverage device biometrics (fingerprint, face recognition) or PINs to unlock the authentication key locally.
Passkeys also avoid insecure transmission methods, such as SMS or email codes sent in clear text, which can be intercepted by attackers. This reduces dependency on social sign-ins that share user activity data with large providers, enhancing user privacy.
The transition to passkeys promises a smoother user experience by removing the need for multiple complex password entries, encouraging wider adoption and better security hygiene.
The FIDO Alliance, an industry consortium that aims to address online security challenges, believes that passkeys can lead to a phishing-resistant future for all scenarios, including account recovery and bootstrapping. They stated that Microsoft's move to remove passwords is an exciting and seminal milestone.
However, even with the adoption of passkeys, accounts are still at risk if both passkeys and passwords are used and grant access. Users are advised to delete passwords saved elsewhere as well.
As we move towards a passwordless future, the adoption of passkeys marks a significant step towards improved security, phishing resistance, and a user-friendly login experience. This year has seen a huge push for users to add passkeys from Microsoft, Google, and others, signalling a shift towards a more secure digital landscape.
In light of the ongoing cybersecurity concerns associated with traditional passwords, Google is proactively upgrading its Gmail accounts to accommodate passkeys, demonstrating a joint effort towards a more secure data-and-cloud-computing landscape alongside Microsoft. The attack on Windows and Microsoft platforms, triggering the deletion of saved passwords, serves as a prime example of the vulnerabilities that these legacy systems present.
