When will we finally ditch passwords? Here’s Microsoft’s 4-step plan

Passwordless roadmap

Microsoft has steadily added features that actually allow companies a passwordless path forward in an industry increasingly looking to do just that, with some of the tools based on standards, making it easier to adopt.

Microsoft broke out their roadmap into four steps:

1. Develop password-replacement options: this includes releasing tools that allow for organizations to implement biometrics, PINs, public/private cryptography, and FIDO2.
2. Reduce the user-visible surface area: this involves setting your authentication options to default to passwordless, cutting down on how often users think about passwords at all.
3. Transition into passwordless deployment: involves taking NIST’s latest recommendations and moving away from requiring users to reset their passwords every few months and continuing to reduce the need for day-to-day password use.
4. Eliminate passwords from organizations’ identity directory: involves completely removing passwords from Azure AD since they still exist even if employees don’t use them anymore.

It’s 2019—where is Microsoft in their roadmap?

Microsoft has accomplished step one by offering multiple passwordless tools, adapting ones they recommended for multi-factor authentication and ones better suited for replacing passwords entirely. They released Azure AD Password Protection in April, which is similar to Troy Hunt’s Pwned Password list, and prevents easily guessed passwords and ones appearing on a global banned password list from being used. Organizations can use Windows Hello for Business to authenticate Microsoft, Active Directory, and Azure AD accounts via biometrics and PIN. Microsoft accounts work with FIDO2 hardware devices like Yubikey and Google’s Titan Security Key; you can even connect Yubikey to Azure AD (in preview). The third solution is the Microsoft Authenticator app, which can be used alongside a password for MFA or to replace passwords.

Steps two through four require most of the effort to come from organizations—they have the passwordless tools, but how much of the above applications are used? In Microsoft’s white paper on passwordless protection [PDF], they say that there are 89 million active Windows Hello users worldwide and that more than 6,500 organizations deploy Windows Hello for Business. Microsoft keeps releasing blogs providing instructions for how organizations can continue to reduce their password surface, pushing everyone to keep moving forward in ditching passwords.

Step three is where roadmap progress becomes a little murkier as it’s more on organizations to take what Microsoft has created and implement them. The stats Microsoft shared around Hello users show that companies are deploying Windows Hello for Business at least, but it’s not clear whether it’s reduced reliance on passwords yet and how much day-to-day usage there is.

Given that, we can safely guess that the industry has a ways to go before reaching step four, especially if Microsoft is any indication. The vendor is practicing what it preaches and says that as of July, about 90 percent of employees can sign into the network without use of a password. From there, Microsoft estimates that it will take another 18 to 24 months to confidently go passwordless.

Still a work in progress

As we’ve discussed before, it’s easy to say let’s ditch passwords, but it’s another to actually follow through. Microsoft has provided organizations with actual options they can use to complete steps two through four of their passwordless roadmap. The tough part is getting organizations to actually do so.

It’ll take a few more years before organizations might be ready for it, but at least the tools are there. Users themselves might even be ready to go passwordless after getting used to biometric authentication thanks to the proliferation of iPhones and other consumer devices with such features.

Again, one of the good things about Microsoft’s passwordless tools is that they're based upon industry standards, which, with their clout, could get other organizations to follow suit, making it even easier for the EUC to abandon passwords.