Three reasons why passwords aren't going away any time soon

June 4, 2021

Passwordless continued to make headlines at Microsoft’s Ignite conference in March, when the company announced passwordless login is a now a standard feature for Azure Active Directory. The introduction of Temporary Access Pass alongside Azure AD passwordless features, marks another milestone in their journey towards eradicating passwords.

Removing passwords is a solid goal as they are fraught with vulnerability issues – reuse, common construction patterns and the almighty leaked password problem. However, Microsoft’s announcement really means that users will be required to use their passwords less often.

These are the three reasons why most organizations are not ready to abandon on-premises Active Directory and move towards a cloud-only model.

Reason 1: Hybrid directory will continue to dominate -Passwords will continue to persist for the vast majority of organizations that are dependent on Active Directory. Gartner states, in their Implement IAM Best Practices for Your Active Directory report, that over 90% of organizations worldwide are using Active Directory (AD) and that by 2025 less than 3% of large to mid-size organizations will completely migrate from AD to a cloud-based directory. Most will continue to operate in a hybrid model - connecting Active Directory to a cloud directory like Azure AD. The dependency on Active Directory continues for services like email, file sharing, applications that rely on Kerberos, etc. While organizations have accelerated cloud spending to support digital business models and enable employees working remotely, adoption has been focused on SaaS solutions. Access and authentication to SaaS services is being primarily managed through hybrid deployment models and not a complete replacement of Active Directory.

Reason 2: Passwordless methods still rely on passwords in the background - Passwords continue to be the failsafe method for various services that market themselves as passwordless. For example, Microsoft announced that passwords can be removed from the Windows login with Windows Hello for Business. Windows Hello for Business relies on a pin number and can also include bio-metric login. When a user cannot use the biometric hardware and forgets their PIN, they need their Active Directory password in order to reset it. Windows Hello for Business has also struggled to gain a large-scale foothold due to hardware dependencies and enrollment challenges.

Reason 3: Cybersecurity risks associated with passwordless - Microsoft uses Temporary Access Pass to provide a time-limited passcode that can be used to enroll in another authentication. The Temporary Access Pass is also used when a user loses or forgets their strong authentication factor and needs help resetting. Just like when users forget passwords or are locked out of their accounts due to an expired password, getting a temporary access code will require a call to the IT service desk. The unsettling reality is that these calls introduce risk as the IT service desk lacks secure user verification. This means that agents can fall victim to social engineering which can result in an attacker taking over an account.

Do not neglect password security

While going completely passwordless is not going to happen anytime soon, it is now possible to minimize dependence on passwords for the Azure AD login. For organizations that rely on Active Directory and want to secure failsafe passwords, the following recommendations provide a password security foundation:

Enforcing the creation of longer and stronger passwords.
Continually detect, remove and block the use of leaked passwords.
Secure password resets and account unlocks, whether being done through self-service or at the IT service desk.

Do not be misled by the term passwordless. Even when trying to minimize the password footprint the need to protect passwords that are in use will remain the same.

Marcus Kaber is CEO of Specops Software.

Protecting employees from potential exposure could be a daunting task, but with the right property technology, your office space can become an interactive and responsive asset that helps you ensure new health protocol compliance.

The State of Corporate Security: Challenges, Priorities and Technology Adoption

The events of 2020 have had a lasting impact on how organizations are approaching their security operations. With more remote workers, reduction in resources, and adaptation of new technology, there is a shift in how corporate security professionals are operating long-term. In this webinar, we will review a recent study we conducted this year with over 350 corporate security professionals on how 2020 impacted their business. We will outline the specific real-world challenges facing corporate security, how they’ve addressed them, and what technology are they looking to implement for long-term success.

Poll

Video Surveillance

View Results

Poll Archive

Products

Effective Security Management, 7th Edition

Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics.

See More Products

Three reasons why passwords aren't going away any time soon

Get our new eMagazine delivered to your inbox every month.

Stay in the know on the latest enterprise risk and security industry trends.

Three reasons why passwords aren't going away any time soon

Related Articles

Get our new eMagazine delivered to your inbox every month.

Stay in the know on the latest enterprise risk and security industry trends.