Just the mention of passwords is enough to raise the heart-rate of system administrators because they are a constant headache. Users lose them; they forget them; they write them down on Post-It notes on their desks. You have to help them recover those passwords and make sure they’re changed on a regular basis and crafted so that they are hard to guess.
However, alternatives to passwords are not necessarily easy to implement. But with the planned release of the Windows 10 Spring Creators Update, the job might get a little easier. Microsoft is starting the process of weening users from relying on passwords to give them other methods to log onto their computers and applications.
Microsoft is adding other security enhancements, some of which will not be obvious to users as the company works to make life more difficult for malware writers. But some changes will be more visible, such as new ways to limit what users can do on their computers. The Spring Creators Update will also make security management more centralized on Windows computers.
The password-free login methods are getting the most attention, mostly because Microsoft has announced that Windows 10 S, the lower cost student version of the desktop operating system will support Windows Hello, the secure login system that supports biometric factors including fingerprints, an iris scan, a PIN or facial recognition to identify authorized users.
Microsoft is making this change because Windows 10 S is no longer a separate version of Windows, but is rather just an operating mode for the full-featured Windows 10 edition, which already supported Windows Hello.
Users can also set up two-factor authentication using the Microsoft Authenticator, which is an app for iOS and Android phones that can generate a PIN.
Clearly, not every device that runs Windows has the capability to handle facial recognition or to read fingerprints, although it’s becoming increasingly available. However, anything with a keyboard can use a PIN.
Microsoft explains that a PIN is more secure than a password, because the PIN is unique to the device. The PIN verifies an authorized user by sending an asymmetric key authentication to an authenticating server. This means that someone can’t steal a PIN and then use it successfully on another computer.
The computer’s trusted platform module handles the key generation and also protects against repeated false entries and other attempts to compromise the TPM. While you’re probably thinking of a PIN as a simple 4-digit number, it doesn’t have to be that way.
Microsoft will let you require PINs with more characters or PINs that use letters and special characters. Of course, if you let those PINs get too complex and hard to remember, then you have the same problem that you have managing forgotten passwords.
The idea of a password-free experience is pretty nice, but there’s more to Windows security than that. The spring release of Windows will also include a feature system administrators can use to regulate whether a particular user of a Windows machine can access the computer’s file system.
This feature is designed to limit user access to only the files they need to access to do their jobs or not files at all to reduce the danger of data theft or corruption. System administrators can allow access to data through specific apps and can set which applications users can access and which ones they can’t.
Microsoft is also enhancing the Windows Security Center to provide one-stop control over security features on Windows computers. The Security Center includes controls for Windows Defender, which is Microsoft’s antivirus product, but also monitors the operations of third-party AV products and anti-malware products. Included in the security package is the Account Control area, which is where you’ll be prompted to use biometric authentication as well as a PIN and two-factor authentication.
While none of these security improvements represents break-through technology, taken together, they do a lot to make Windows 10 a more secure environment. While Microsoft hasn’t abandoned passwords yet, it’s clear that the company would like to lead Windows user in that direction.
You’re already encouraged to create a PIN for Windows following a major update, and on computers equipped with biometric sensors, you’re encouraged to register your fingerprint and if possible your face. It’s already possible to use Windows on some devices and never enter a password for the operating system.
Unfortunately, there’s still a long way to go before organizations generally adopt Microsoft’s asymmetric keys for authentication and probably even longer before they’re accepted on the public internet. Although it’s possible for your organization to start dispensing with passwords, you’re going to have to implement security features you currently don’t have.
So the question is do you hate passwords enough to implement these alternative security measures? Are they costing you enough staff time to make it practicable to eliminate passwords? Maybe it’s time to figure out how much time and expense is actually involved. If there’s enough, then you can make a case for a password-free future.