CISO Bret Arsenault believes passwords aren't secure enough on their own
Microsoft has touted ambitions to move away from passwords and embrace biometric security for identification and authentication processes.
The company's chief information security officer Bret Arsenault told CNBC that online passwords should be eliminated as they do not adequately protect people, and biometrics should be used instead.
Arsenault noted that passwords on their own do not afford enough cyber security and that even the relatively simple and old technique of password spraying – whereby a hacker tries to access large amounts of accounts at once by firing commonly used passwords at them – can lead to organisations and online a services getting hacked as there's often no extra layer of security once a correct password has been inputted.
“The reality is, we still see a lot of attempts of people trying to password spray. The best way to protect against the password spray is to just eliminate passwords,” said Arsenault, who did acknowledge that password security can be bolstered with multi-factor authentication.
“And so the thing that we are seeing is lots and lots of people just focused on eliminating that whole vector.”
Microsoft is practising what Arsenault is preaching, with 90% of its 135,000-strong workforce already able to log into the company's corporate network without passwords. Instead, the workers use biometric technology, such as facial recondition or fingerprint scanning, to authenticate themselves.
The company will also scrap its old password expiration policies in Windows 10 in favour of a system that purges expiring passwords deemed no longer secure, and it will effectively force its users to update their passwords every few months once the Windows 10 May 2019 gets rolled out.
Such an anti-password stance is understandable given the increasing use of biometrics, from voice and image recognition to under-display fingerprint scanners in the latest Android smartphones.
However, there are still plenty of cases where biometrics can be duped and devices unlocked by people who shouldn't have such access. Recently, this was brought into the fore with the Nokia 9 PureView, which could be unlocked by pressing a packet of chewing gum against the phone's under-display scanner.
As such, there may be a need for biometric technology to evolve a little further before it can truly replace passwords, online or otherwise.