For many, many years, passwords were our keys to computer systems. Is it time for them to disappear now?
Seen it from the perspective of IT-security, passwords were often something treated as an orphan: They were (and still are) mandatory, but an imposition to many users: Even today I often encounter the worst of the weak passwords, passwords written on a sheet of paper covered by the computer’s keyboard or the simple lack of understanding for GDPR-compliant password polices. Life is difficult enough and, for many users, passwords (and especially complex passwords that need to be changed all, for example, 90 days) are just a necessary burden.
Dealing with passwords — the glorious burden
During the last years, password managers have taken over the role of handling and dealing with passwords: Often, there is just one master password or some other kind of authentication necessary to gain access to a password vault that takes care of all your logins. No need to use the same password on all 462 sites with the easy chance of automatically generating complex, difficult to remember passwords, ideally supported by the glorious 2FA (Two-Factor Authentication).
Dealing with passwords got a lot easier today thanks to the well-known tools like 1Password, KeyPass, Enpass, Dashlane, Bitwarden etc. but besides using biometry to enter the vault there are ambitions to get completely rid of this established and reliable way of authenticating: Working and living without any password just like Microsoft’s latest approach states.
Microsoft wants to steer into the passwordless future
Working with security keys like Nitrokey as the second factor for quite some time now (albeit using it as an alternative to a simple Windows-login), you may now remove the password for your login into Microsoft services and sign in using passwordless methods like Windows Hello, the Microsoft Authenticator mobile app or a verification code sent to your phone or E-Mail instead — mentioning that getting the code via SMS is commonly known as the most insecure way for the second factor.
That’s for theory, but how will this work in practice? Microsoft states that this feature will help to protect our Microsoft-accounts from identity attacks like phishing while providing even easier access to the best apps and services like Microsoft 365 and contained services like Microsoft Teams, Outlook, OneDrive or Family Safety, Microsoft Edge and more. Mentioning Edge, Microsoft’s browser is one key to the passwordless success
Edge, take care of the passwords!
While we are more and more on the strive for a passwordless future (and still light years away from reaching this goal), it needs some approachs that are not founded on password managers but on the capabilities of the browser just like Apple does with Safari. The Chromium-based Edge evolved a lot since first appearing on the digital stage and got a comprehensive password management system with password monitor, password generator and the password health dashboard straight from the scratch.
Just as we know from competitors like 1Password & Co. , the complexity and strength of each password will be rated in the same way this feature’s backend checks for compromised passwords in-the-wild you may have probably chosen.
The common mistake of using the same password on various online services (usually a no-go but for many users still a standard these days) is also fixed by automatically generating and saving secure and complex alternatives to standard passwords. Some of you may already have noticed that the Microsoft Authenticator-app on iOS and Android already has a „Passwords“-pane which syncs with Edge’s database.
According to Microsoft, everything is done with privacy in mind but every one of you must decide whether this is a trustworthy feature or not. Microsoft assures that the underlying technology helps to ensure that neither Microsoft nor any other party can learn your passwords while they’re being monitored in Microsoft Edge — it’s a matter of trust like with any other password manager-provider you are working with.
More than a great approach?
The feature itself sounds great and it might work well if you are in the Microsoft-universe (although it works on Edge on Mac, too), but personally I still prefer a rather independent password manager — I don’t use Safari’s keychain-features on Mac either but opted for 1Password instead after a temporary trip with Enpass.
While Edge is a good browser on macOS as well, I still prefer the mixture of 1Password and an external 2FA-app — putting your passwords AND your two-factor authentication in the same app is yet another risk if being observed from the perspective of an IT-security consultant.
Anyway, what doesn’t work for me may work in your use case and, despite not using this feature because I simply don’t want to add my passwords in a browser (independent from the browser itself), I like Microsoft’s approach for a passwordless future. In my case, I love the way security keys like the ones from Nitrokey or Yubico (YubiKey) work and wish there would be more services and vendors (YES, Apple — a passwordless login with such a device on macOS would be great!) that support those.
Microsoft’s work here is a piece of a puzzle that needs to be completed to really get rid of passwords and adopt the passwordless future!
Additional information on this topic can be found in Vasu Jakkal’s blog post covering this topic from Microsoft’s side.