Here's How Microsoft Plans To Rid Windows 10 Of Insecure, Inconvenient Passwords

Microsoft Password

Have you ever used the same password for multiple accounts? Maybe it's not particularly secure, either, because the really good ones are harder to remember—and no, 'monalisa' is not a secure password. Most will agree that password management is a pain in the backside, and if you wish there was a better way, well, Microsoft hears you. If Microsoft has its way, traditional password entry will go the way of the dodo bird.

"Nobody likes passwords. They are inconvenient, insecure, and expensive. In fact, we dislike them so much that we’ve been busy at work trying to create a world without them—a world without passwords," Microsoft states in a blog post.

So what's the alternative? Microsoft notes that in order to deliver a world without passwords (at least as it pertains to Windows and Microsoft's other software and services), there are two key goals that must be met. One is that end users should never have to deal with passwords in their day-to-day lives, which is a convenience factor. The other goal is to ensure that an alternative method is secure—it shouldn't be possible or easy for a user's credentials to be cracked, breached, or phished.

Here is the four-pronged strategy that Microsoft lays out in achieving those goals:
  1. Develop password-replacement offerings, i.e., replace passwords with a new set of alternatives that address the shortcomings of passwords while embracing their positive attributes.
  2. Reduce user visible password-surface area, i.e., upgrade all experiences related to the entire life-cycle of a user’s identity (including provisioning of an account, setting up a brand-new device, using the account/device to access apps and websites, recovery, etc.) and ensure these work with password-replacements (#1).
  3. Simulate a password-less world, i.e., enable end users and IT admins to simulate and transition into a password-less world with confidence.
  4. Eliminate passwords from the identity directory, i.e., the final frontier – delete passwords from the identity directory.
All of this is Microsoft's long-winded way of promoting Windows Hello, its biometric security system that allows users to log into compatible devices using facial recognition, fingerprint scanning, or iris scanning. According to Microsoft, over 47 million users around the world use Windows Hello, including more than 5,000 businesses, with adoption on over 1 million commercial devices.

That's an impressive adoption rate in a relatively short period of time, though Microsoft concedes Windows Hello is not always ideal.

"Windows Hello is an excellent replacement for passwords on personal PCs. That said, we acknowledge that there are many scenarios that involve shared PCs used by transient users and that provisioning Windows Hello is not ideal. To that end, we have been working hard on lighting up a series of portable credentials that are more suitable for such shared PC scenarios," Microsoft says.

One of those accompanying solutions is the Microsoft Authenticator app. This enables users to authenticate their Microsoft account using their mobile phone, as shown in the video above. Microsoft made this a point of focus in Windows 10 in S mode with the April 2018 Update, and it has wider deployments in mind.

All of this sounds good in theory, though biometric security can have its shortcomings too. To Microsoft's credit, a test in 2015 showed that Windows Hello wasn't thwarted when researchers assembled a group of twins to try and trick the facial recognition technology. But there have been other cases outside of Windows Hello where biometic security has fallen short.

Still, with how often passwords get leaked on the web, a password-free future doesn't seem like a bad idea.