In an effort to reduce password usage, Microsoft introduced a new smartphone-based login feature for its Microsoft...
Authenticator application. How does this feature work, and can methods like this effectively eliminate passwords?
Protecting passwords has always been a thorn in the side of security practitioners looking to secure their organizations. The call to kill passwords has been out there for years and, recently, Microsoft took a stab at it by limiting password use with new phone-based sign in available on the Microsoft Authenticator app.
As the iconic comic XKCD says, "Through 20 years of effort, we've successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess." Truer words have never been spoken.
With similar concerns today, National Standards and Technology (NIST) came out with new guidance that included making passwords longer, not necessarily as complex and rotating them only as needed to reduce the risk of forgotten and poorly created passwords. With these changes, people have moved toward two-factor authentication, configured on as many accounts as possible, to increase the security of passwords with a second factor, and it's here that Microsoft improves the idea of using a second device for authentication even more.
By downloading the app for either iOS or Android, users logging into Microsoft applications are able to sync their mobile device as a way to authenticate the login request to the particular application. By selecting the type of account being used for logon, the mobile app can be configured to receive a validation each time a user logs into a program that's been configured to use Microsoft Authenticator.
For example, you can configure your Outlook email account within the mobile app, which requires you to select the account type and the proper credentials for the account. After this is done, you're asked to validate your mobile device with a confirmation code. After that is completed on the mobile device, when you attempt to log in to Outlook from a computer, you'd enter your username and select Use the Microsoft Authenticator App. This login request sends an alert to the Microsoft Authenticator app that you'll have to approve by tapping on it within your mobile device. The important part is that you'll be asked to unlock the mobile device again as a way to improve the security of your login process. Once you log back in to your mobile device, the login authentication to Outlook on your computer is fulfilled with your authorization.
Logging in without the user entering a password each time eliminates the risk of phishing and of credentials being stolen in other ways. This essentially enables you to log in to your applications once, via the mobile app, and then, going forward, it's all based on device approval that you generate.
There are a lot of questions about whether or not this is considered a true two-factor solution and, at this point, I'd assume it is. You have something you know -- the PIN on the phone after entering the approval -- and something you have -- the actual mobile device itself.
It's helpful to note that this approval isn't coming as a text message -- a concern with mobile authentication brought up in the past by NIST -- but is used directly with the app itself. This also brings up ideas of using randomized credentials within the app so that users essentially won't even worry about their passwords since they won't even know them.
A final concern with this type of authentication is that everything is becoming more mobile and our devices are becoming the center of our lives. The security of these devices needs to become a priority for us in order to benefit from improvements like these in other areas of security.
Ask the expert:
Want to ask Matt Pascucci a question about security? Submit your question now via email. (All questions are anonymous.)
Learn more about NIST's recommendations for enterprises about passwords
Find out why the Fast ID Online authentication standard could signal the passing of passwords
Check out how the PoisonTap exploit bypasses password locks on computers
Dig Deeper on Two-factor and multifactor authentication strategies
Related Q&A from Matthew Pascucci
Troubleshooting VPN session timeout and lockout issues should focus first on isolating where the root of the problem lies -- be it the internet ... Continue Reading
What sets web roles and worker roles apart in Microsoft's Azure Cloud Services? Here's a look at how they are different. Continue Reading
Container security continues to be a pressing issue as containers and hosts are being used more frequently. Learn how to keep your enterprise safe ... Continue Reading