Without a Password: Questions and Answers with Microsoft’s CVP of Security, Vasu Jakkal

A little over two weeks ago, Microsoft, Apple and Google unveiled plans to expand support for the common passwordless sign-in standard created by the FIDO Alliance, offering passwordless sign-in options to billions of users, allowing them to identify themselves with their fingerprint, face or password can login Device PIN.

Since the announcement, there has been much speculation about how the world of passwordless authentication will compare to the era of password-based authentication, with some commenters suggesting that FIDO wants to “kill passwords completely”.

For security teams, the idea of ​​eliminating passwords is an attractive prospect because it prevents cybercriminals from sniffing passwords and credentials and reduces the risk of data breaches from phishing scams, brute force hacks, and business email compromise.

VentureBeat recently spoke with Vasu Jakkal, CVP Security, Compliance, Identity and Privacy at Microsoft, who is leading the organization’s push towards passwordless authentication options as part of the FIDO Alliance, to explore what a passwordless future means for enterprise security and how threat actors are becoming likely to adapt.

Below is an edited transcript of the interview.

VentureBeat: Why is the FIDO Alliance moving away from password-based security?

Jakkal: Weak passwords are the entry point for most attacks on enterprise customer accounts. Last year, Microsoft found that there were a whopping 579 password attacks every second. In just one year, that number has grown to 921 attacks per second — that’s 79.3 million attacks per day.

In a recent survey we commissioned, nearly a third of respondents said they stopped using an account or service altogether rather than grappling with a lost password.

They are unsafe and stressful for individuals and businesses. For this reason, we encourage users to use their Microsoft account without a password and to log in without a password whenever possible.

VentureBeat: What are the main benefits of passwordless authentication solutions?

Jakkal: Passwordless authentication solutions offer customers a safer, easier, and faster way to authenticate their accounts. Instead of keeping attackers out, weak passwords often provide an entry point. Using and reusing simple passwords across different accounts might make our online life easier, but it also leaves the door open.

Attackers regularly scroll through social media accounts looking for dates of birth, vacation locations, pet names, and other personal information they know to create easy-to-remember passwords.

Our survey found that 68% of people use the same password across different accounts, putting you at even greater risk.

For example, if a password and email address combination has been compromised, it is often sold on the Dark Web to be used in further attacks. As my friend Bret Arsenault, our Chief Information Security Officer here at Microsoft, likes to say, “Hackers don’t break in, they log in.”

VentureBeat: Do passwordless organizations still have to worry about business email breaches and phishing threats?

Jakkal: Microsoft-recommended passwordless methods like Windows Hello and other FIDO credentials are designed to be phishing-resistant. They use cryptography to exchange keys and are tied to the hardware. This reduces the chances of BEC and phishing threats to almost nothing.

You can learn more about the phishability of different methods from our security researchers here: All your credits belong to us! — Microsoft Tech Community

VentureBeat: How do you anticipate cybercriminals changing their tactics as adoption of passwordless solutions increases?

Jakkal: Password-only accounts remain a lucrative target for cybercriminals — it’s still the cheapest attack at $0.97 per 1,000, as reported in our Microsoft Digital Defense Report. We expect password attacks to continue for some time, but we’re always looking ahead to where the next set of attacks might emerge.

One area we’ve been investigating since the beginning of our passwordless journey is the risk of session token theft. We released new detections last fall to protect you from token theft.

We also actively work with standards bodies to develop security protocols to protect user sessions after they log in to minimize the risk of compromise. Microsoft’s Pam Dingle will be speaking on this topic at the RSA conference.

VentureBeat: Are there any security risks that pose passwordless solutions that companies should be aware of?

jakkal: From a security perspective, Windows Hello, FIDO credentials, and smart cards are incredibly difficult to crack. However, we encourage our customers to adopt a Zero Trust “assume breach” mentality, as you can never guarantee 100% security.

A few areas that some businesses should be aware of is issuance and recovery of passwordless credentials.

Temporary access passes are one of the solutions we have developed to help with initial account setup or recovery, allowing customers to remain secure and password-free at all stages.

VentureBeat: Do you have any advice for security teams looking to start implementing passwordless authentication in their organization? (Any tips for deploying/managing the security of a passwordless environment?)

Jakkal: Yes, check out our helpful resources on this blog, including the deployment guide and a session with our CISO and CO on how we implemented passwordless at Microsoft: 3 Key Resources to Accelerate Your Passwordless Journey – Microsoft Security Blog. You can also see our latest customer stories here.