Recently Microsoft rolled out support for a passwordless authentication option in Windows 10. As of build 18309, Windows 10 users can setup and sign in using a phone number account, without ever having to create, or deal with a password. Other capabilities previously rolled out to help eliminate passwords include replacing them with biometrics and PINs.
Passwords are a security concern
Passwords have been a sore problem for businesses from the very beginning, so news from Microsoft is likely well received. Businesses have been struggling to secure user passwords from unrelenting social engineering and man-in-the-middle attacks designed to steal the coveted secrets. Some have resorted to deploying onerous multi-factor authentication solutions to help ensure that vulnerable passwords don’t put their business at risk.
Passwords are expensive
Beyond the security headache that they create, passwords are also inconvenient and expensive to manage. Users are required to recall and enter passwords multiple times during their workday, and are periodically required to refresh old passwords, which all translates into many hours of downtime in the aggregate. And when forgotten, passwords need to be reset, often times with the help of the helpdesk, which introduces additional downtime and expense.
Microsoft’s announcement is great news if you are starting a new business and planning to deploy the latest and greatest Windows technology on all your endpoints, and if all your business systems and applications will support the passwordless authentication options enabled on Windows 10. But if you already have a running business then you are likely out of luck, because real-world businesses typically run older versions of Windows alongside newer ones. They might also run MacOS and Linux machines, and maybe some thin client workstations. And the systems and applications they use will not necessarily support the recently released passwordless options, so passwords will still be needed.
What’s the point in going passwordless if you are still left with systems and applications that still rely on them?
Even with a few systems that still require passwords, users will need passwords, which means they will be subjected to the same password theft attacks and will endure the same downtime problems associated with them. So going passwordless is really an all-or-nothing situation.
An all inclusive passwordless solution or no solution – meet Susan
Passwordless authentication to Windows 10 – and even the AD domain from Windows 10 workstations – is not enough to allow businesses to go passwordless. Let’s imagine a typical workday for Janette, an employee from the procurement department at a Fortune 500 company working from a Windows 10 laptop. Janette starts her work day by logging into her Windows 10 laptop using the newly released Microsoft Authenticator App on her phone instead of a password.
Immediately after logging in she goes to Office365 to get a PO ready for signing – no authentication was required because the company’s Active Directory Federation Services (ADFS) is configured to provide single sign-on to this cloud application. She then sends the PO to the printer so she can have it signed, but encounters a problem. The secure printer requires LDAP authentication which means she has to produce a password which she has not used recently and therefore does not remember. Instead of running down to the IT helpdesk to reset her password, she decides to try and use the printer directly connected to her colleague’s Mac workstation.
She opens the browser, logs her friend out of Office365 so she can login to her own account and download the PO to the local machine. But she hits another roadblock because without ADFS to help, she needs to produce a password that she can’t remember. So she tries one last thing – she asks her friend to log off of her Mac workstation and allow her to logon with her account, so single sign-on will kick in and allow her into Office365 without requesting a password. But she hits yet another dead end because Mac does not support Windows 10 passwordless login.
Clearly, Windows 10 passwordless is a good first step to going passwordless, but falls short of delivering on the promise. To go passwordless, real world businesses need a passwordless authentication solution that was built for their needs and accommodates their assortment of business systems and applications.
Passwordless, for every use case
Secret Double Octopus delivers a passwordless authentication solution that addresses the needs of real-world businesses. It is designed on the assumption that real IT environments are heterogeneous, running older systems alongside newer ones, and therefore designed to support a diverse set of use-cases and business systems. It works for heterogeneous workstations running older and newer versions of Windows, MacOS and Linux, supports business systems that are joined to the Active Directory domain or working independently, on-premise, remotely accessed or in the cloud, online and offline.