Microsoft Moves Towards Password-Free Logins

Microsoft has announced several steps towards a world without passwords. It not so much a revolution at this stage, compared to a few measures towards convenience.

The changes involve the way people login to Microsoft services such as the online edition of Office, Skype, Edge browser and the Xbox Live gaming service (on PCs) - all of which work via a single Microsoft account.

Microsoft is building on "Windows Hello," an existing system for logging into a Windows 10 PC using a PIN code, facial recognition or a fingerprint reader, rather than relying on a password.

Physical Keys An Option

Users can now login to their Microsoft account on PCs or mobile devices - and thus the associated services - using their password, a Windows Hello method, or via a physical security key. This can either be a USB dongle, or a small device that connects wirelessly through Near Field Communication (NFC) which is typically used on smartphones and contactless payment cards. (Source: windows.com)

Public Key Cryptography Used

With these various methods, security is boosted by splitting the security records over two "keys", which in this case means computer code rather than a physical device. (Source: theregister.co.uk)

The private key is stored on the user's device and includes any facial or fingerprint details, meaning Microsoft (and anyone who hacks Microsoft) doesn't have access to these details. Meanwhile a public key is stored on Microsoft's computers and is used to decrypt data sent to Microsoft servers.

This data includes the "password" (which is made up of a PIN, facial recognition, or biometric fingerprint), but is encrypted using the users' private key on the device. The private key never leaves the device, hence it is extremely secure.

This type of cryptography is also best suited to prevent "man in the middle" attacks, where a third party may be "listening in" on the communication and able to view authentication data (and in some cases, decrypt the data) as it is being sent. Since the data is already encrypted before it leaves the device, there is no way for such an attack to occur.

Refer to this article for more information about public key cryptography.

Phishing Could Be Harder

The idea behind this scheme is to reduce the need for users to type in passwords or user names when logging in. In turn, that reduces the risk of them providing such details in response to a phishing scam, which is where scammers try to trick people into logging in to a bogus site or otherwise handing over login details.

For now, it will only be possible to log in to a Microsoft account through a password-less method using the Edge browser, though only if you are running Windows 10 with the infamous October Update patch. This patch has received some particularly bad press because it inadvertently deleted user data, broke sound cards, and caused an incompatibility with icloud.

The idea behind a passwordless system such as this is expected to grow, as it is based on industry standards. Hence, it is expected that rival browsers such as Chrome and Firefox will adopt these standards sometime in the near future.

What's Your Opinion?

Do you use biometric logins or physical "security" keys already? Would you be happy or willing to do so? Will the day ever come when passwords are dropped completely?