Microsoft has released a security update for millions of Windows 10 users recommending that they remove their passwords. Do not change your passwords; delete the. Completely. Forever.
More than two years ago, I first wrote about Microsoft confirming the death of Windows 10 passwords here on Forbes. The intention to totally replace passwords as a secure account authentication method - the way you log into your Microsoft account - is late in coming. But now it's finally here after Microsoft suddenly activated the passwordless switch this week. And, dear reader, it's not even about hiding your password from view and using Windows Hello facial recognition on a daily basis. This means completely deleting your password.
"You can now remove your password from your Microsoft account," confirmed Joy Chik, corporate vice president of identity at Microsoft, on September 15. This follows a similar announcement for business users in March and now extends a passwordless reality to all consumer users, including those with Windows 10 or 11.
Instead of using a password, once removed from your Microsoft account, you can simply use the Microsoft Authenticator app. When you log in, a notification will appear on your smartphone and ask if you are doing it, confirm and you will be inside. It really is that safe and simple. Of course, you can also use Windows Hello, a hardware security key, or even a unique verification code sent by email or on your phone. The common denominator is the total lack of passwords in the process.
Does this really mean the end of passwords for Windows 10 users?
This is important, especially as it departs from the similar promises of a passwordless process where the password stays there as a security backup and remains vulnerable to attack. So I contacted Microsoft to verify that this was the case and asked what the backup options were in this new passwordless scenario.
"If a user loses access to the Microsoft Authenticator app for any reason," a Microsoft spokesperson told me, "they can still get their account back if they have access to other verification options, such as an email or a phone number. " . As a standard, this would be just code and you're back. However, if the user enables two-step verification on the account, which is still possible and recommended, then "you will need to provide the codes sent to two verification options".
You may have encountered a problem here if you are using the app on the same phone number as one of these other verification methods. Anyone with access to your phone could get your primary and secondary authentication details. As always, it's not as clear how biometric checks to pass the lock screen and a PIN to unlock the SIM card in case of a phone reboot need to be considered here as well.
Well, this led me to ask about Windows specifically why not everyone uses a Microsoft account to log into their Windows platform; some prefer to use a local account instead. This could lead to a confusing situation where a user might not have a password regarding their Microsoft account, but still need a password (even if it's only in the background behind Windows Hello) to log into Windows 10. u 11.
The Microsoft spokesperson confirmed that removing the password from a Microsoft account will provide a "safer, easier and faster way to authenticate" and "completely remove the password from the Windows login for added security."
To clarify, this means that Windows 10 or 11 users can take advantage of the advanced security offered without passwords, but they must use the Microsoft account option to do so. "When you add your Microsoft account to Windows, you simply log in and access your favorite Microsoft products and services with a single login," says the spokesperson, adding: "You can now use Windows Hello without a password, where you have the option to completely remove the your password from your Windows login for added security. "
Microsoft therefore recommends that users who currently log in to Windows with a local account switch to using a Microsoft account instead, and we have a helpful guide to doing so.
Will you remove your Windows 10 password?
Most people in the cybersecurity community I've talked to about Microsoft activating this password-less toggle switch agree that it's a positive step towards more secure authentication for the average user. No, it's not 100% sure, but nothing is. Even taking into account the physical separation of the second factors I mentioned above and the addiction to your smartphone, it's still beneficial for most people, most of the time. This is because most people don't have unique, long, complex and random passwords for each account and use a password manager to manage them. That said, if you do, there's no rush to abandon the password path to be honest.
The problem, however, is making sure that users who would benefit from it know the option is available and encourage them to take it.
"Removing a password has been the technology challenge since accounts were first hacked, so this may be the closest thing to fighting it," says Straight Talking Cyber video host this. week and a cybersecurity specialist at ESET, says Jake Moore. . "Even when they try to teach people not to reuse passwords, people tend to form bad habits with their cybersecurity and threat actors in multiple cyber attacks have inevitably abused it."
This passwordless development marks the next step in helping people become more aware of their cyber hygiene, says Moore, "but until it's forced, those who illustrate bad habits using poorly constructed passwords may not participate in the feature and may stay checked and logged in to your reused password. "
Perhaps Microsoft needs to grab a sheet from Google's book, which recently announced that it would be mandatory for YouTube creators who monetize their channels to use two-step verification. Yes, I know it's not the same as getting rid of passwords, but by forcing the change on users, you also greatly improve your security posture and help protect them from attack.
Leaving the decision to the user seems like the right thing to do, of course, but as is the case with adopting the use of the password manager (which most agree is an easy way to improve password security), we know that most people don't. nuisance.
"Less reliance on passwords will help greatly along the way, adding a layer of defense that has been the first line of attack in many circumstances," Moore says to conclude, "as more people embrace the idea and begin to trust it, this it could take off quickly, leaving password abuse, such as stuffing of credentials, a thing of the past. "
.jpeg)
