[ad_1]
Microsoft has released a security update for millions of Windows 10 users recommending that they remove their passwords. Do not change their passwords; delete them. Completely. For real.
Over two years ago, I first wrote about Microsoft confirming the death of Windows 10 passwords here at Forbes. This intention to completely replace passwords as a secure account authentication method, the way you sign in to your Microsoft account, has been a long time coming. But now it’s finally here after Microsoft suddenly flipped the password-less switch this week. And, dear reader, it’s not just about hiding your password and using Windows Hello face recognition on a daily basis. This completely removes your password.
“You can now remove your password from your Microsoft account,” confirmed Joy Chik, vice president of Microsoft’s identity division, Sept. 15. This follows a similar announcement for commercial users in March and now extends a password-free reality to all mainstream users, including those with Windows 10 or 11.
Instead of using a password, once you remove it from your Microsoft account, you can just use the Microsoft Authenticator app instead. When you log in, a notification will appear on your smartphone and ask if you are the one doing it, confirm and you are logged in. It really is that secure and easy. You can of course also use Windows Hello, a hardware security key, or even a one-time verification code sent by email or on your phone. The common denominator is the complete absence of a password in the process.
Does this really mean the end of passwords for Windows 10 users?
This is important, not least because it is a departure from similar promises of a passwordless process where the password stays there as a security backup and remains vulnerable to attack. So I contacted Microsoft to verify that was the case and asked them what the backup options were in this new no password scenario.
“If a user loses access to the Microsoft Authenticator app for any reason,” a Microsoft spokesperson told me, “they can still recover their account if they have access to their other verification options, like an e-mail or a phone number “. As standard it would just be one code and you will come back to it. However, if the user enables two-step verification on the account, which is always possible and always recommended, then “he will have to provide codes sent to two verification options.”
You may have noticed an issue when using the app on the same phone number as any of these other verification methods. Anyone with access to your phone could potentially obtain your primary and secondary credentials. As always, it’s not as clear-cut as things like biometric checks to bypass the lock screen and a PIN to unlock your SIM card if the phone is reset come into play.
Okay, this led me to ask about Windows in particular, as not everyone uses a Microsoft account to sign in on their Windows platform; some prefer to use a local account instead. This could lead to a confusing situation where a user could bypass their Microsoft account password while still needing a password (even if only in the background behind Windows Hello) for its access to Windows 10 or 11.
The Microsoft spokesperson confirmed that removing the password from a Microsoft account will provide a “safer, easier, and faster way to authenticate” and “will completely remove your password from your Windows login for more than security”.
To clarify, this means that Windows 10 or 11 users can enjoy the enhanced security offered without a password, but they must use the Microsoft account option to do so. “When you add your Microsoft account to Windows, all you need to do is sign in and access your favorite Microsoft products and services with one sign-in,” the spokesperson said, adding “you can now switch without a password. using Windows Hello, where you have the option to completely remove your password from your Windows login for added security. ”
So Microsoft recommends that users who are currently signing into Windows with a local account use a Microsoft account instead, and there is a helpful guide to do so.
Do you want to remove your Windows 10 password?
Most of the cybersecurity community I’ve spoken to about Microsoft’s activation of this password-less option switch agree that this is a positive move towards more secure authentication for the average user. No, it is not 100% sure, but nothing is. Even taking into account the physical separation of the second factors I mentioned earlier and the reliance on your smartphone, this is still a win-win solution for most people, most of the time. This is because most people don’t have unique, long, complex, and random passwords for each account and use a password manager to manage them. That said, if you do, there’s no real rush to clear your password path to be honest.
The problem, however, is making sure that users who would benefit both know that the option is available and encourage them to take it.
“Removing a password has been a technological challenge since accounts were first hacked, so it might be the closest thing to fighting it,” said Jake Moore, video guest for Straight Talking Cyber this week and cybersecurity specialist at ESET. “Even when trying to teach people not to reuse passwords, people tend to develop bad habits with their cybersecurity, and the perpetrators of multiple cyberattacks have inevitably abused them.”
This password-less development marks the next step in helping make people more aware of their cyber hygiene, says Moore, “but until it is forced, those who demonstrate bad habits using bad passwords builds may not participate in functionality and may remain unprotected and attached to their reused password. ”
Maybe Microsoft needs to take a cue from Google’s book, which recently announced that it would become mandatory for YouTube creators who monetize their channels to use two-step verification. Yes, I know it’s not the same as getting rid of passwords, but by forcing the change on users it also dramatically improves their level of security and helps protect them from attacks.
Leaving the decision up to the user seems like the right thing to do, of course, but as is the case with using the password manager (which almost everyone agrees is a simple way to improve password security), we know that most people have won. not worth it.
“Less reliance on passwords will help considerably in the future, and it adds a layer of defense that has been the first line of attack in many circumstances,” Moore said, concluding, “as more and more as more people embrace the idea and start to trust it, it could quickly take off, leaving password abuse, such as credential stuffing, a thing of the past. “
A step-by-step illustrated guide to removing your Microsoft account password
The first step: In the security settings of your Microsoft account, click on “advanced security options”, then on “activate” without password.
Second step: Click Next and approve the notification on the Microsoft Authenticator app on your smartphone.
Third step: You will then be notified that your password removal was successful, including an email to this effect.
[ad_2]
Source link