Microsoft Wants You to Go Passwordless, but Should You?

Key Takeaways

  • Next year, more people should delete their passwords and start using biometric logins like fingerprint scanners, Microsoft said recently. 
  • Microsoft is promoting Windows Hello, a biometrics scanning tool that lets you log in to Windows 10 with your fingerprint. 
  • Cybercrime costs the global economy $2.9 million every minute, with roughly 80% of those attacks directed at passwords.

Chaiyawat Sripimonwan / Getty Images

Get rid of your passwords and start using biometric authentication like fingerprints and face scans, Microsoft says. Not so fast, some security experts retort. 

Next year, passwordless logins should be the standard, Microsoft said recently on its security blog. The company is touting Windows Hello, a biometrics scanning tool that lets you log into Windows 10 with your fingerprint. But some observers say that you should hesitate before greeting Hello with open arms. 

“The use of biometrics as described in Microsoft’s plans are promising, but we should all exercise caution with new versions and implementations of biometric authentication, as we learned when researchers demonstrated that early iterations of Apple’s FaceID could be fooled,” Phil Leslie, the co-founder of cybersecurity firm Havoc Shield, said in an email interview.

“Would I trust Microsoft’s biometric approach with passwords to a free web app without any payment information in it? Probably. Would I use it for my bank account at this moment? Not yet.”

Let Your Fingers Do the Talking

Instead of passwords, Microsoft says it thinks users would be better served by using biometric security devices such as those that scan fingerprints or the shape of your face. Microsoft’s own Windows Hello software offers this option.

The number of consumers using Windows Hello to sign into Windows 10 devices instead of a password grew to 84.7% in 2020, up from from 69.4% in 2019, according to the Microsoft security blog post. 

Yuichiro Chino / Getty Images

To drive home the message that going passwordless is better, Alex Simons, corporate vice president of Microsoft identity program management, points out in the blog post that cybercrime costs the global economy $2.9 million every minute, with roughly 80% of those attacks directed at passwords.

“Passwords are a hassle to use, and they present security risks for users and organizations of all sizes, with an average of one in every 250 corporate accounts compromised each month,” he added. 

Convenient but Not More Secure

But users should keep in mind that while passwordless solutions like Microsoft Hello may be more convenient, they don’t increase security. “At the end of the day, a password is still required to protect the accounts,” Craig Lurey, co-founder and CTO of password management provider Keeper Security, said in an email interview.

“Cybercriminals know this, and they can still access the device or app by skipping the biometric authenticator and testing weak or re-used passwords. They also target account recovery, which uses passwords and security questions.”

“Would I trust Microsoft’s biometric approach with passwords to a free web app without any payment information in it?  Probably.  Would I use it for my bank account at this moment?  Not yet.”

Mobile devices, particularly smartphones, are frequently the authentication device used as part of passwordless infrastructure. Users need to make sure the device is free of malware before they allow access, Hank Schless, senior manager of security solutions at cybersecurity firm Lookout, said in an email interview.

“A compromised mobile device could allow an attacker access to your infrastructure if they’re able to take advantage of the device being used as a form of authentication,” he added. 

There are alternatives to Microsoft’s Hello if you are looking to do away with passwords. One solution is the app Nuggets, which uses a one-time onboarding process.

By scanning a government-issued ID (like a passport or driving license) and completing another check, consumers can simply access any site or app with their biometrics. There’s no need for a username or password—at any level. And no passing of personal data of any kind at login.

Even if passwordless is widely implemented, it’s not the silver bullet to solve all user login security issues, Schless said. “Mobile phishing will still be an issue,” he added. “Even if it’s less focused on credential harvesting, you still need to secure your employees from phishing links that deliver malware to the device.”

Passwords may be a hassle, but they are tried and trusted technology. Microsoft’s proposed biometric solutions may not be for everyone.

Leave a Reply

Your email address will not be published. Required fields are marked *



What’s Next for the Mac in 2021?

Key Takeaways Apple plans to switch all its Macs to Apple Silicon chips within two years. The current iMac is due for an update—its design dates back to 2008. This year’s Pro Macs may get a hot-rodded version of the M1 chip. Apple With new chips, a new iMac, and new laptops, 2021 might be […]

Read More

Will CES 2021 Be the Battleground for New Computer Chips?

Key Takeaways Apple’s successful introduction of its custom, in-house Apple Silicon will challenge the fragmented PC market. The battle between Intel and AMD is intensifying, with AMD Ryzen processors coming to many mainstream laptops. Consumers buying a Windows laptop in 2021 will have the most choice in over two decades. Jeremy Laukkonen / Lifewire Apple […]

Read More

Dell’s New Monitors Are Made for Remote Work

Key Takeaways Dell’s new monitors have a button just to launch Microsoft Teams. They also feature a built-in camera, speakers, and microphone, and blue-light reduction. In the future, office tech might be more home-office friendly. Dell Dell’s just to launch Microsoft Teams, along with built-in microphones and pop-up webcams. In short, they’re the perfect monitors […]

Read More