Microsoft’s Chief Information Security Officer Bret Arsenault speaking at Microsoft Ignite 2018.

Microsoft Ignite 2018: How Microsoft Went (Sort of) Passwordless

The road to a world without passwords is paved with both cultural and security challenges. Here’s how Microsoft’s CISO is working to overcome them.

Passwords are a headache for users and IT teams alike (stacks of password reset IT tickets are fun for no one). To eliminate the perils of passwords, Microsoft has joined the ranks of those hoping to do away with passwords entirely.

Among other measures, the company introduced at its 2018 Microsoft Ignite conference in Orlando, Fla., this week its Microsoft Authenticator tool, which enables a secure and passwordless sign-in to Azure AD-connected apps. Microsoft has already been using the tool for quite some time, and has been working internally to do away with passwords for its own users through a combination of the tool and Windows Hello, a multifactor authentication system for PCs and mobile devices, said Microsoft’s Chief Information Security Officer Bret Arsenault during a session at the conference.

While Microsoft isn’t going truly passwordless for another five years, the security team has been working to eliminate prompting with the aim of getting to a pseudo-passwordless state for users.

“There’s still a password, but the user only has to use the biometrics to get into the system,” said Arsenault. “There will still be something behind it, but the user won’t see it. They’ll never know it’s there. So, I get better security, I get a better user experience, and eventually we’ll get to where there’s no password maybe at all. But don’t wait five years to make everyone’s lives better.”

No change is easy, however, and both cultural and technical challenges followed the CISO and his team as they sought to pave the way to a world with fewer passwords inside their organization.

JOIN THE CONVERSATION: Follow @BizTechMagazine on Twitter for continued Microsoft Ignite 2018 coverage!

The Pitfalls of a World Without Passwords

Cultural challenges are often what prevent full-scale technological change, and while you might think employees would jump for joy at the prospect of no passwords, Arsenault notes that the security team simply didn’t anticipate how people would react to not seeing a password prompt.

It was really bizarre,” said Arsenault. “We had people who had Hello-enabled devices and had enrolled in Hello going in and entering their passwords.”

Changes to systems and user education helped to inform the workforce of the best way to approach the new authentication systems.

But once employees got used to this change and stopped entering passwords where they weren’t necessary, a new problem arose.

No one knows their passwords,” said Arsenault. “Which is a good problem to have.” Except, of course, when employees need to change passwords every few months in accordance with outdated security standards. The password-change requests were flooding the IT department when those times arose, and so Microsoft chose to change its policy.

“This month, we transitioned our password-rotation policy to be once a year and not every 70 days, and we will be more secure because of it,” said Arsenault.

MORE FROM BIZTECH: Could WebAuthn spell doom for the dreaded password?

Spray Attacks Prove Problematic for a Passwordless Future

So, what took the company so long to move away from the constant password rotation? One specific threat: password spray attacks.

Security professionals are likely very familiar with brute-force password attacks, which attempt to hack an account by employing a series of likely passwords — think Password1234 or Eagles2018 (in Pennsylvania) — against known usernames. But as software changes to spot and prevent these attacks via lockouts, spray attacks have emerged in their stead.

In spray attacks, hackers will try just two or three common passwords over a longer period of time and on multiple accounts so that it appears as a failed login and doesn’t raise any alarms or trigger a lockout.

To tackle the threat of spray attacks, Microsoft employed a filter that prevents users from using easily guessable passwords. In combination with MFA, which can “eliminate the blast radius” if a hacker does manage to breach an account, Arsenault believes the company is on its way to preventing spray attacks and to a secure future with fewer passwords.

“If you have a password filter, if you have MFA and if you have strong proofing, then you’re really in a great state,” Arsenault said.

Don’t miss a thing! Keep this page bookmarked for articles from the event. Follow us on Twitter at @BizTechMagazine, or the official conference Twitter account, @MS_Ignite, and join the conversation using the hashtag #MSIgnite.

Cybersecurity-report_EasyTarget.jpg

Juliet Van Wagenen
Sep 25 2018

Sponsors