Most people have up to 200 accounts with password access to keep track of. Each must be strong and unhackable with an ideal combination of letters, numbers and, importantly, memorability to the user. This is rarely the case and, as a result, passwords are clunky and dangerous, when it comes to modern digital security needs.

The transition away from passwords will take time; however, Microsoft recognised early the urgency to transform digital security and its developments indicate passwords may soon be obsolete.

Multi-factor authentication and biometric security access

Multi-factor authentication (MFA) and its subset, two-factor authentication (2FA), are already in use by the world’s biggest companies and are being increasingly adopted by smaller ones. Making life a little more difficult for hackers, it adds a second step to the login process, once a password has been entered.

PIN entry, security questions and CAPTCHA are the most commonly known MFA security measures, as well as SecurID (a unique sequence of numbers, often on a physical device such as a USB, entered at login along with a PIN or password). Biometric measures such as thumbprints, voice and facial recognition are also MFA processes, used in everything from unlocking phones or home security systems, to passport control and more.

In all of these areas, Microsoft already has solutions in place. Facial recognition for unlocking Windows PCs was introduced in 2015, followed by the Microsoft Authenticator app in 2016 – a smartphone app that generates an ever-changing code used to sign in to a device from a mobile, in place of a password.

Its first password phaseout was in 2018, within the Windows 10S operating system. This saw devices equipped with biometric sensors, to verify a user’s identity, accept a single sign-in to Windows Hello with facial, voice or fingerprint recognition. Each of these developments informs Microsoft’s strategy towards a password-less future.

The four-stage phase out

In 2017, Microsoft announced its ‘four-step approach to password freedom’. The strategy presents a roadmap, driving the development of products and technologies, which creates a fully password-less environment in the future.

The strategy includes:
  • Develop password replacement offerings – aided by the implementation of technologies such as MFA, biometrics, or physical solutions (a USB, a badge or a wearable), with a PIN or a fingerprint as MFA.
  • Reduce user visible password surface area – by transforming workflows to remove password prompts for entry altogether, as alternative authentication measures are phased in.
  • Transition into password-less deployment – where users don’t need to know, change or type their password ever again. Access will be through a single sign-in with Windows Hello, for example.
  • Eliminate passwords from identity directory – as it says, a reality where passwords in any form will be obsolete.

Privacy concerns will prevent many from transitioning to biometrics in the short term, with users displaying an understandable reluctance to having extremely personal data – such as facial or voice features or fingerprints – stored. Eventually, however, the choice will no longer be theirs. With identity fraud and cyber theft ever on the rise, the transformation of digital authentication will remove passwords as an access method altogether.