Even strong passwords are… stupid

While this blog is mostly focused around passwords and how to ensure people can login, the new direction within Microsoft is to get rid of passwords. I can already feel the shock from many security officers reading this post, but hear us (eeuh Microsoft) out on this one.

Passwords are by default unsecure, they require two-way encryption are mostly re-used over and over and over and over again, and your employees corporate password (you know the one with 12 characters minimum, punctuation and CAPITALS) is probably also used on their favorite dating website or Facebook. But even if your employee is security aware  (they never type their password in a phishing website (which is the #1 breach method)) they might be tempted to enter it on that airport terminal that happens to have a keylogged installed – with or without MFA, that password is now stolen and rendered useless.

So as said, we want to get rid of passwords and replace it with something better. That is why Windows HELLO 🙂 was created, allowing your employees to log-in with their face, fingerprint or pin code. One could argue a pin-code is the same as a password, but hear us out, it’s not.

Windows Hello works with key pairs, this means that in a specific device (and only that specific device) we create a keypair. The private key of this pair is stored in the TPM of the device. While we will go over the specific details later, I wanted to show you in this post a simpler way of removing the password for your Microsoft LiveID account, so that when you are trying to open your email on that public terminal, you don’t have to type your password..

If you login to your liveID (account.microsoft.com) and then go to Security. On the primary page, click more security options

There you can select set up identity verification app under the Identity Verification Apps. It will require you to download the Microsoft Authenticator App. Its available for Windows Phone, Android and iOS devices. Download it and set it up.

Next time you login to your liveID, instead of providing your password select Use Microsoft Authenticator App Instead

After this, the system will generate a code and display it on your screen:

And you will get a notification on your mobile device. If you are on a “trusted” device, you wont get a code and you only have to accept the MFA trigger on your phone, but if you are on an untrusted device, the number is added to ensure that each session has a unique code and that you are not authorizing another session made by another user (who might be sitting next to you and knows your email address).

Now, given everybody might be able to get into your phone, it does not stop here yet.. we need to make sure its you and only you. And there are two ways to provide that. Either a pin-code needs to be entered, but if your device supports Windows Hello (Windows Phone) or Fingerprint (iOS) you can provide proof of identity that way too..

And that signs you in. So, without typing any password, but knowing your (phone) pin-code and having the phone with you (something you know, something you have) allows full 2FA logins. Secure, safe but mostly…. Very user friendly!

Set it up today!