Background 

Nearly 20 years ago a friend and I used to demonstrate live cracking of passwords given to us at the beginning of a one-hour presentation. There were some rules, nothing too long and no unusual punctuation symbols to give a laptop a chance to crack the password in under an hour. We typically succeeded in well under an hour. 

We met up again recently and got onto the topic of passwords – it was an exciting evening! 

• Me: Passwords are pointless, they are as weak and as annoying as they have ever been. Password attacks are involved in over 80% of breaches, attackers log in, they don’t break in, and humans cannot be relied on to think of proper passwords. 
• My friend: I agree but there isn’t anything better yet, certainly not as usable between platforms and applications. Besides, many tools exist to create random complex passwords and then we have multi-factor authentication (MFA) which stops just about all of the automated password attacks and 76-96% of other password attack methods. 
• Me: I know, MFA using the Microsoft Authenticator app is good. But is still relies on a password and therefore inherently weak with MFA Fatigue becoming a recognised condition! And besides, not all services use MFA even today and as just about everyone shares their actual (or for cyber security folk, a variation) password between web sites, one of them will have leaked credentials already and your password is already for sale. 
• Me (again): And if you are now forcing me to carry around a device to house the MFA authentication app, why can’t I just use that and not a password at all? 
• My friend: Yes, yes, yes, but how to securely enrol, what happens if your phone is stolen. This an escalating problem in large cities like London where a phone is snatched off unsuspecting users every 6 minutes. Or even more probable, your mobile phone battery dies or there’s no signal, then what? (See the BBC News article Phone reported stolen in London every six minutes – BBC News) 
• Me: Yes but, a new method has arrived to save the day: passkeys. Everyone and their dog are using them, and you can even use them with the Microsoft Authenticator app now! 
• My friend: Complex passwords are still better and easier to use. 
• Me: You’re wrong, complex passwords require an app to remember them, so you still need a device, and have you ever tried typing in a complex password on a phone keyboard? 

And on it went, but did leave me thinking, can a determined user go passwordless today, especially as passkeys are gaining momentum? To set some ground rules, I will just be looking at Microsoft Entra ID (what was Azure AD) and consumer Microsoft accounts (Hotmail, Outlook.com, Xbox etc). 

Microsoft consumer accounts 

Let’s get the easy one covered first, Microsoft consumer accounts. These have been passwordless for a few years now. And they can be truly passwordless, the account has no password stored at all. 

I login using the Microsoft Authenticator app, which involves unlocking my phone (FaceID), unlocking the app (another FaceID) and then confirming the request (another FaceID). In theory my phone could have been snatched at multiple points so having multiple FaceID requests adds an acceptable layer of security without bothering me too much, I just need to stare lovingly at my phone for a few more seconds! 

Entra ID accounts (once known as Azure AD) 

This is the interesting area, can you login to your work account without a password? You of course can but with some caveats: 

1. Windows Hello has allowed for passwordless sign ins since 2015 and tends to work well. Gaze into an enabled webcam (it requires a depth sensor), a fingerprint sensor or just a PIN will all work to allow a secure exchange between your machine and Entra ID without touching a password. This works for laptops and desktop computers. 
2. However, a password still exists in the background and for new user account creation a password is required before the account can be created. 
3. There are other methods such as FIDO2 tokens and SmartCards but removing these from the equation as they require too much user input, the user must remember to bring them to work, not leave them in the washing machine or allow their pets to run off with them. 
4. The new kid on the block (in preview) as of May 2024 is passkeys. You can use passkeys to login to Entra ID! Well, sort of, but more about this below. 
5. Therefore, as of today, you cannot have an Entra ID account without having a password registered and therefore it’s open to password-style attacks. This means everyone should be using MFA as a minimum as the main defence against password-style attacks. This places more emphasis on the authenticator app. 

Microsoft Authenticator app 

Available for iOS and Android (and even Windows Mobile in the day) and is the key weapon in defeating password attacks today and in removing the need for passwords entirely now and in the future. 

Over the last 20 years one key element within society has changed. Just about all of us can do the following: 

1. Own a secured smartphone with embedded biometric readers that are pretty good 
2. This device is more attached to us than any other object, in fact welded to us if born after the year 2000 
3. It is generally powered throughout the whole day with a constant data (internet connection) via 3G, 4G, 5G or a local WiFi access point 
4. Microsoft Authenticator app is easily installed to manage both private and work credentials as well as password management, auto fill in for browser forms and even a complex password generator. It’s even the #1 productivity app on Apple with a 4.7 rating! 

The app can handle several authentication types: 

1. It has a built-in One Time Password (OTP) generator that even works when the phone is offline 
2. It can, of course, be used as part of an MFA response; used as an extra factor of authentication when used with passwords 
3. Similar to MFA, it can also be used to ‘check’ suspicious user logons if enabled by the organisation 
4. Passwordless sign in. This can’t be used to logon to a Windows device but can be used to access resources over the web and works very well. Multiple accounts can be supported on a single phone. The user selects their account normally from a web browser on a PC and is given a two-digit number to type into the Authenticator app which shows a rough geographic location and username of the account trying to authenticate. Enter the correct number and you are then authenticated with no password in sight. 
5. Currently in preview, but the app can also be used to house device bound passkeys. 

In short, a real Swiss army knife approach to security. 

Passkeys 

Passkeys are very similar to how Windows Hello works. There is a private / public key pair. Windows Hello stores the private key within the TPM chip on a motherboard. The private key of a passkey can be stored in FIDO2 compliant devices and as of last month (May 2024) the Microsoft Authenticator app is on iOS devices (Android to follow soon). 

Passkeys in general have been discussed a lot over the last couple of years and have been invested in by Microsoft, Apple, and Google, and you can use it to even log into Amazon. They are the great saviour to achieving ‘passwordlessness’! 

The current implementation does work, but only just. These are device-bound passkeys (cannot be shared across devices or backed up) and can only be used to authenticate against web-based resources, and you cannot log into Windows with a passkey yet. 

In theory, passkeys should be even more seamless than anything else. On an Apple phone, use FaceID to open authenticator, select the passkey, and another FaceID check. No need for a username (it’s included within the authentication sequence) and absolutely no password in sight. 

However, this is how it actually works. The user must carry out the following: 

1. Select passkey as the authentication method within the app (normally the browser) 
2. The app will then display a QR code 
3. Point phone camera at QR code 
4. Phone will prompt with a ‘Continue’ button to complete the authentication sequence 
5. In the background the phone will form a Bluetooth connection to the machine carrying out the authentication – no Bluetooth equals no authentication 
6. FaceID check and success.

To be honest, it would be easier to enter a complex password, especially as one of my machines (a desktop) doesn’t even have Bluetooth. 

However, the fact that it actually works is the real news here. Microsoft has committed to creating a syncable passkey later this year (2024) which will become a lot easier to manage from a user’s perspective. 

Conclusion 

Many of the raw ingredients now exist for a passwordless environment to exist and can even be experimented with today. However, the suspicion is that Entra ID will require a password at account creation for a number of years yet, I imagine, for compatibility reasons as many organisations still use hybrid identities between on-premises and cloud. 

Other areas have improved though, to aid in the journey. Think of a triangle with the following three sides: 

1. Software support
   Authentication to a web-based resource is pretty uniform, almost everything works. Whereas to achieve passwordless in Windows the only ‘usable’ option is Windows Hello which uses biometrics or a PIN 
2. Friction
   How easy for the end user to actually complete multiple authentications daily? An authenticator app on a smartphone, I would argue, has a low friction in today’s environment 
3. Security
   Passwords are the weakest security, but by far the most common method. This is what needs to change. Sign-in with a phone app or with a passkey is much more secure but needs to meet the same friction levels of a password. The current implementation of passkeys by Entra ID does not achieve this. 

Therefore, everyone will be using passwords somewhere in their environment. Even if they are very rarely actually used, they still exist and can be targeted. 

So, everyone should be using the Microsoft Authenticator app (or equivalent from other vendors) as a secondary source of authentication, without fail! 

Security minded individuals should also be looking to use other features within the Authenticator app to allow for passwordless sign-in today, and hopefully passkeys by 2025. 

We should all have an Authenticator app installed on our smartphones now! 

Discover Quorum Cyber’s services today

Explore Quorum Cyber’s comprehensive range of cyber security and data security services on our Services page. Contact us at [email protected] if you would like to discuss your specific needs or you have any questions.