Today’s technology news stream has been abuzz with the news that you can now eliminate your password from your Microsoft account. Huzzah! This must be a milestone or turning point for passwordless authentication, right? Uh, yes and no.
Microsoft has been telling us to get rid of passwords for a while now. “Wait, what??” has been the common response among most IT folks. Like a relationship we know we should leave, we cannot seem to give up on the idea of passwords. Sure, they are easy to guess. And it is true that if we create truly complex passwords, we will never remember them. We live on the horns of this dilemma between security and convenience. (Side note: it was in Calculus that I learned there is such a thing as a lemma. So, a dilemma is, of course, two lemmas. Easy!) At best, we use a password manager to help us get over the hump.
Passwordless authentication is the friend we are comfortable with, even if we know deep down that they will eventually let us down.
Announcing… Passwordless Authentication!
Fast forward to today, as news outlets like Tech Republic announce that you can now go passwordless on your Microsoft account. Big news!
Er, not so fast. Yes, you can now set up passwordless authentication on your Microsoft account. You can get rid of your password, and use the Microsoft authenticator app, or a FIDO-2 hardware key, or a security code texted to your phone (bad idea). That part is all great.
The part that is not so great: when they say “Microsoft account” they mean your personal Microsoft account. This is what I call your “consumer” Microsoft account. Maybe you set one up when you thought you would upload all your photos to OneDrive (the consumer version). Then you found out Microsoft was being stingy about how much storage they would give you for free, and Google didn’t look so bad anymore.
The point is, this passwordless authentication news does not refer to your Microsoft work or school account. That is correct. This news is not about what you can do with your Office 365/Microsoft 365 account to enable passwordless authentication.
And Now, for Some Good News
So, must we wait for some future Microsoft announcement before we can get rid of passwords for our Microsoft work accounts? I am happy to tell you that is not the case. In fact, what I will just call Office 365 accounts have had the option of passwordless authentication since late in 2018!
The passwordless authentication options for work accounts are the same as for personal accounts (Authenticator app, FIDO-2 key, SMS text, Windows Hello). And the steps to set up passwordless authentication are similar for work and personal accounts. The first step is to enable Multi-Factor Authentication (MFA). If you have done that across the organization, congratulations! Now, you can be the hero by announcing that, since everyone was so nice about adopting MFA, you are going to reward them by eliminating passwords!
Are Your Ready to Take the Plunge?
Let me confess. At CGNET, we have not adopted passwordless authentication. I could be cute and blame it on our CTO. Maybe it’s because we have some accounts that do not have actual users who can change passwords or respond to an authenticator prompt. As with other big IT changes, it would be good to do some analysis. Make sure all your accounts can be shifted to passwordless authentication. If they cannot be shifted, decide if you want to set up policies to exempt accounts that cannot move. Maybe it is worth the trouble; maybe not.
Give passwordless authentication a try. Enable it for some folks and see how it works. If things are going well, enable it for the crankiest password holdout in your organization. Take it from there. Add a cherry to the top of this ice cream sundae by setting up your other online apps with federated authentication. The more apps and services you can bring under the umbrella, the more secure it will be for your organization. And the more convenient it will be for your users.