Microsoft Is Replacing the Password: What’s Taking Its Place?

It was supposed to have died a long time ago, but, for a near-cadaver, the password has managed to hold onto its last breath for over two decades. Bill Gates declared passwords passé way back in 2004, but it was only late in April that the company he founded introduced a replacement for the outmoded authentication system.

For years, organizations have sought to educate employees about the importance of secure passwords and of resisting phishing attacks -- and both efforts have failed. A Verizon report indicates that 63 percent of confirmed data breaches involved leveraging weak/default/stolen passwords in 2016.

Meanwhile, a new report from Proofpoint says that phishing and similar attacks using e-mail were up 45 percent in the last quarter of that year. Clearly, the constant haranguing by security teams of employees to change their passwords and make them more complicated, as well as their pleas not to click on suspicious links/attachments, are falling on deaf ears.

Indeed, the only way passwords can be effective, according to NIST, the US National Institute for Standards and Technology, is by requiring users to come up with 16 character (preferably a mix of letters and digits, with some capital letters and/or alphanumeric symbols thrown in) standard passwords, allowing for as many as 64 characters, instead of the eight to 16 character range most organizations require for passwords today. We have enough trouble getting people to remember eight characters; can we really rely on peoples?EU? memories to remember 16, 20, or more?

In addition to all this, passwords have another major weakness: They are extremely inappropriate for mobile users. Already in 2015, mobile searches began outpacing desktop searches, and by the end of this year mobile e-commerce revenues are expected to match revenues from desktop/laptop engagements -- before sailing past to become the primary source of...

Comments are closed.