Microsoft is dropping the use of passwords for staff, Sian John chief security adviser EMEA, Cyber Security Solutions Group, Microsoft, told delegates at yesterday’s Wall Street Journal’s cyber-security executive forum held in London Bridge.
It wasn’t so much an announcement as an aside when discussing the role of biometrics in response to a delegate question during a session on future technology, entitled "10 years out". John explained, "Microsoft is going 'passwordless' this year for staff. Passwords used to be the least bad option, but now with biometrics and behavioural analytics, Microsoft’s ambition is to eliminate passwords this year, and we expect others to have done so within six years."
Asked about the vulnerability of biometric systems, John added, "The biometric data now stays on the device (rather than being stored in a server database) to open the token, but it’s true that the token can still get hacked. Federation of identity (as promoted by groups such as FIDO) and biometrics is the way it will go, and while everyone is moving to 2FA, most don't need that, and it will be user pushback there that will increase biometric acceptability."
It was not explained what biometric data (eg Face or fingerprint recognition) might be used, nor what behavioural data.
Separately Microsoft is reported by the FT to have deleted a massive database of 10 million images which was being used to train facial recognition systems. Its mages database of some 100,000 famous people is believed to have been used to train a system operated by police forces and the military.
Jake Moore, cyber-security specialist at ESET, comments: "The deletion of the database is a great move by Microsoft but sadly it might be too late. To have this amount of personal data in one place is, of course, going to become a target for some.
"Sadly, facial recognition still contains a lower than hoped for hit rate but, more importantly, can contain bias and prejudices when used in conjunction with machine learning. Such bias as racial profiling can sometimes be used in vast databases such as these, so it is good to hear this has been deleted before being further used.
"Frustratingly, when data is deleted on the Internet, it’s not usually gone forever. This set of images will no doubt be featured on the dark web and possibly for a price. "
Also yesterday Aaron Margosis, Microsoft’s principal consultant for cyber-security published a blog saying that Microsoft had changed its advice that passwords should be changed after a set period of time. The Telegraph, however, reported that Microsoft has no plans to remove the feature from its own devices or software. Margosis had said that changing a password periodically was only a protection against the chance someone has been hacked at some point during the time their old password was valid. Whereas if a device or account has been hacked, the password should be changed immediately."
Andy Cory, identity management services lead at KCOM emailed SC Media UK to comment: "The truth is that technology has moved past the stage where we constantly need to reset passwords. That’s not to say that passwords are not important - the effective management of passwords is one of the most vital aspects of corporate defence. It doesn’t matter how strong your perimeter is, or how intelligent your breach detection - if users’ accounts can be cracked open from the front, if their passwords can be guessed or stolen, then your company is as good as defenceless. Once an account has been compromised in this way an attacker will often be able to gain access to a whole plethora of sensitive information without setting off any internal alarms, with incalculable potential impact for the organisation.
"The humble password is by no means dead. It’s simply time for businesses to come up with a more intelligent strategy than a password expiry policy. Frequent password changes encourage bad passwords, whereas a good password does not have to be changed that frequently. Organisations should consider ditching a historical reliance on password expiry in favour of a more prescriptive policy on password strength, ensuring that strong but usable password rules and, preferably, multi-factor authentication are in place. As part of that, it’s also important to have a high-capacity infrastructure in place that can reliably and securely handle the authentication data - only then can you match user experience with security needs."