Next year, passwordless logins should be the standard, Microsoft said recently on its security blog. The company is touting Windows Hello, a biometrics scanning tool that lets you log into Windows 10 with your fingerprint. But some observers say that you should hesitate before greeting Hello with open arms. “The use of biometrics as described in Microsoft’s plans are promising, but we should all exercise caution with new versions and implementations of biometric authentication, as we learned when researchers demonstrated that early iterations of Apple’s FaceID could be fooled,” Phil Leslie, the co-founder of cybersecurity firm Havoc Shield, said in an email interview. “Would I trust Microsoft’s biometric approach with passwords to a free web app without any payment information in it? Probably. Would I use it for my bank account at this moment? Not yet.”
Let Your Fingers Do the Talking
Instead of passwords, Microsoft says it thinks users would be better served by using biometric security devices such as those that scan fingerprints or the shape of your face. Microsoft’s own Windows Hello software offers this option. The number of consumers using Windows Hello to sign into Windows 10 devices instead of a password grew to 84.7% in 2020, up from from 69.4% in 2019, according to the Microsoft security blog post. To drive home the message that going passwordless is better, Alex Simons, corporate vice president of Microsoft identity program management, points out in the blog post that cybercrime costs the global economy $2.9 million every minute, with roughly 80% of those attacks directed at passwords. “Passwords are a hassle to use, and they present security risks for users and organizations of all sizes, with an average of one in every 250 corporate accounts compromised each month,” he added.
Convenient but Not More Secure
But users should keep in mind that while passwordless solutions like Microsoft Hello may be more convenient, they don’t increase security. “At the end of the day, a password is still required to protect the accounts,” Craig Lurey, co-founder and CTO of password management provider Keeper Security, said in an email interview. “Cybercriminals know this, and they can still access the device or app by skipping the biometric authenticator and testing weak or re-used passwords. They also target account recovery, which uses passwords and security questions.” Mobile devices, particularly smartphones, are frequently the authentication device used as part of passwordless infrastructure. Users need to make sure the device is free of malware before they allow access, Hank Schless, senior manager of security solutions at cybersecurity firm Lookout, said in an email interview. “A compromised mobile device could allow an attacker access to your infrastructure if they’re able to take advantage of the device being used as a form of authentication,” he added. There are alternatives to Microsoft’s Hello if you are looking to do away with passwords. One solution is the app Nuggets, which uses a one-time onboarding process. By scanning a government-issued ID (like a passport or driving license) and completing another check, consumers can simply access any site or app with their biometrics. There’s no need for a username or password—at any level. And no passing of personal data of any kind at login. Even if passwordless is widely implemented, it’s not the silver bullet to solve all user login security issues, Schless said. “Mobile phishing will still be an issue,” he added. “Even if it’s less focused on credential harvesting, you still need to secure your employees from phishing links that deliver malware to the device.” Passwords may be a hassle, but they are tried and trusted technology. Microsoft’s proposed biometric solutions may not be for everyone.
