Passwordless continued to make headlines at Microsoft’s Ignite conference in March, when the company announced passwordless login is a now a standard feature for Azure Active Directory. The introduction of Temporary Access Pass alongside Azure AD passwordless features, marks another milestone in their journey towards eradicating passwords.
Removing passwords is a solid goal as they are fraught with vulnerability issues – reuse, common construction patterns and the almighty leaked password problem. However, Microsoft’s announcement really means that users will be required to use their passwords less often.
These are the three reasons why most organizations are not ready to abandon on-premises Active Directory and move towards a cloud-only model.
Reason 1: Hybrid directory will continue to dominate -Passwords will continue to persist for the vast majority of organizations that are dependent on Active Directory. Gartner states, in their Implement IAM Best Practices for Your Active Directory report, that over 90% of organizations worldwide are using Active Directory (AD) and that by 2025 less than 3% of large to mid-size organizations will completely migrate from AD to a cloud-based directory. Most will continue to operate in a hybrid model - connecting Active Directory to a cloud directory like Azure AD. The dependency on Active Directory continues for services like email, file sharing, applications that rely on Kerberos, etc. While organizations have accelerated cloud spending to support digital business models and enable employees working remotely, adoption has been focused on SaaS solutions. Access and authentication to SaaS services is being primarily managed through hybrid deployment models and not a complete replacement of Active Directory.
Reason 2: Passwordless methods still rely on passwords in the background - Passwords continue to be the failsafe method for various services that market themselves as passwordless. For example, Microsoft announced that passwords can be removed from the Windows login with Windows Hello for Business. Windows Hello for Business relies on a pin number and can also include bio-metric login. When a user cannot use the biometric hardware and forgets their PIN, they need their Active Directory password in order to reset it. Windows Hello for Business has also struggled to gain a large-scale foothold due to hardware dependencies and enrollment challenges.
Reason 3: Cybersecurity risks associated with passwordless - Microsoft uses Temporary Access Pass to provide a time-limited passcode that can be used to enroll in another authentication. The Temporary Access Pass is also used when a user loses or forgets their strong authentication factor and needs help resetting. Just like when users forget passwords or are locked out of their accounts due to an expired password, getting a temporary access code will require a call to the IT service desk. The unsettling reality is that these calls introduce risk as the IT service desk lacks secure user verification. This means that agents can fall victim to social engineering which can result in an attacker taking over an account.
Do not neglect password security
While going completely passwordless is not going to happen anytime soon, it is now possible to minimize dependence on passwords for the Azure AD login. For organizations that rely on Active Directory and want to secure failsafe passwords, the following recommendations provide a password security foundation:
- Enforcing the creation of longer and stronger passwords.
- Continually detect, remove and block the use of leaked passwords.
- Secure password resets and account unlocks, whether being done through self-service or at the IT service desk.
Do not be misled by the term passwordless. Even when trying to minimize the password footprint the need to protect passwords that are in use will remain the same.