One of the requirements you must fulfil before you are able to go to passwordless authentication, is that you have to get rid of legacy authentication, by blocking legacy authentication you block authentication protocols which support username and password logins, and transition to protocols being able to support modern authentication which is based on tokens. Security versus convenience Modern Authentication Another funny example is the one where kids find out that they can unlock the mobile of their parent by using their fingerprint while they are asleep. You have probably all seen a movie or series where the actor cuts loose the finger of their dead victim and use that to unlock doors or give access to devices. “something you are”).Īlso let’s not forget, that if attackers really want to that there are other ways to get what they want. The only way to stop this is to require a biometric identifier (fingerprint or face recognition a.k.a. (for example, use the same PIN to both unlock their mobile phone, and their Windows device). I expect the same to happen for PIN, because there is nothing stopping a user from using a PIN multiple times to unlock a multiple of devices. In that way they only have to remember one password for logging in into multiple services. People tend to re-use their password for convenience. I do see one big caveat here though, and it’s something we have learned from the past.
Figuring out the PIN of another user is also referred to as “ shoulder surfing“
That basically means that if someone else knows the PIN you use to login to Windows Hello for Business on your Windows 10 device, that PIN is theoretically useless on another device, since that PIN is device specific and stored locally. Based on this you might ask, “Hey, but doesn’t having a username and password align with the something you have, and something you know statement?” – well that’s correct, but in the case of passwordless, the something you know part will not be transmitted over the network and is often device specific, making it less vulnerable. Microsoft announced at the event that passwordless authentication is now generally available, and Microsoft is now urging their customers to start their journey towards passwordless.Īs the name implies, going passwordless means that we will get rid of passwords for good, replacing it for a more secure solution based on usage of: something you have and something you are or something you know.
One of the main Identity related topics during Microsoft Ignite March 2021 edition was passwordless.
0 kommentar(er)
