New Warning As Microsoft Confirms Password Deletion For 1 Billion Users – Forbes
Your password will be deleted—but it’s more complex than it seems.“The password era is ending,” Microsoft has confirmed, warning its billion users that “bad actors know it, which is why they’re desperately accelerating password-related attacks while they still can.” And while the company “blocks 7,000 attacks on passwords per second… almost double from a year ago,” that’s not nearly enough. “Our ultimate goal.” it says, “is to remove passwords completely,”Those billion passwords will be replaced with passkeys, which “offer an improved user experience by letting you sign in faster with your face, fingerprint, or PIN… They also aren’t susceptible to the same kinds of attacks as passwords. Plus, passkeys eliminate forgotten passwords and one-time codes and reduce support calls.”But it’s not all smooth sailing. “Passkeys are the future of authentication, but widespread adoption faces challenges,” the UK government’s cybersecurity authority has just warned, outlining “significant bumps in the road ahead,” before Microsoft’s vision of a password-less future can become reality.The use of passkeys seems to be binary — those who use them are likely to use them widely, while those that do not are yet to jump onboard at all. “In the two years since passkeys were announced and made available for consumer use, the FIDO Alliance says, “passkey awareness has risen by 50%… The majority of those familiar with passkeys are enabling the technology to sign in.”The UK’s National Cyber Security Centre (NCSC) says “most cyber harms that affect citizens occur through abuse of legitimate credentials. That is, attackers have obtained the victim’s password somehow – whether by phishing or exploiting the fact the passwords are weak or have been reused… Passwords are just not a good way to authenticate users on the modern internet.”But to go from where are today to ubiquitous deployment — enabling Microsoft and others to delete billions of basic, reused, crackable passwords — needs work. NCSC outlines ten critical issues holding back such mass adoption.The good news is all of this is being worked, co-ordinated by FIDO and others and driven by technology providers and financial and other secure-by-design industries, all looking to finally end the scourge of all-too-easy attacks. “Achieving this vision,” NCSC says, “needs an intensified effort from all parties and greater collaboration to cohere the vision and prevent it fragmenting to the extent that users disengage.”This is why Microsoft says it is moving slowly toward its goal, “understand[ing] where and when to invite users to enrol passkeys… We ran multiple user studies and tested every pixel in our nudge screen to answer the question, “What would motivate a user to stop what they’re doing and enrol a passkey?”The challenge is that for passkeys to resolve the worsening threat landscape now being boosted by new AI-fueled attacks, this needs to go the whole way. “While enrolling passkeys is an important step,” Microsoft says, “it’s just the beginning. Even if we get our more than one billion users to enroll and use passkeys, if a user has both a passkey and a password, and both grant access to an account, the account is still at risk for phishing. Our ultimate goal is to remove passwords completely and have accounts that only support phishing-resistant credentials.”
