Microsoft Now Offers the Option to (Mostly) Ditch Your Password

Microsoft Now Offers the Option to (Mostly) Ditch Your Password

As of today, Microsoft is offering people the option to remove passwords from their Microsoft accounts, provided you don’t use certain features or applications on a regular basis.

“For the past couple of years, we’ve been saying that the future is passwordless, and today I am excited to announce the next step in that vision,” writes Vasu Jakkal, Corporate VP of Security, Compliance, and Identity for Microsoft. “Beginning today, you can now completely remove the password from your Microsoft account. Use the Microsoft Authenticator app, Windows Hello, a security key, or a verification code sent to your phone or email to sign in to your favorite apps and services, such as Microsoft Outlook, Microsoft OneDrive, Microsoft Family Safety, and more.”

The rest of the post focuses on Microsoft’s sales pitch for getting rid of passwords. Passwords are annoying, to be sure. Many people aren’t good at them, as evidenced by the fact that passwords like “password123” and “abcdefg” still frequently show up on leaked lists (unless otherwise prevented by password policies). Tell people to add numbers and special characters, and you can bet “p4ssw0rd!23” will show up on the list.

Microsoft Now Offers the Option to (Mostly) Ditch Your Password

Microsoft is not wrong when it points out the flaws and shortcomings of existing password systems, but there are some caveats to its plans as well. There are some practical restrictions on who can use this capability. Microsoft indicates you must continue using a password if you use any of the following services:

  • Xbox 360
  • Office 2010 or earlier
  • Office for Mac 2011 or earlier
  • Products and services which use IMAP and POP email services
  • Windows 8.1, Windows 7 or earlier
  • Some Windows features including Remote Desktop and Credential Manager
  • Some command line and task scheduler services.

Microsoft notes that losing access to the Microsoft authenticator will still allow you to access your Microsoft account, provided you have defined an account recovery method (said account is, presumably, still protected by a password). If you have two-step verification enabled, the company adds, you will need to define two recovery methods.

Some of the secondary authentication methods Microsoft supports, such as SMS and email, are either subject to security flaws on their own or may still depend on the security of your email password. It’s also true that facial recognition systems like Windows Hello have been bypassed in the past, most recently a few months ago. The amount of work required to fool biometric authentication systems has generally increased in recent years, making them somewhat better options than they were in the past. But such systems are not foolproof, either.

Even so, Microsoft is probably correct that such methods are, at the least, under far less attack than passwords themselves.

Readers concerned about moving away from passwords from a civil liberties perspective should be aware that biometric authentication is not necessarily protected in the same manner as passwords. A password is unambiguously “something you know,” and as such, you can assert a 5th Amendment right against personal self-incrimination if asked to provide one. Biometrics like your face and fingerprint are considered to be “something you are,” and case rulings on whether they can be gathered without consent have gone opposite directions without the Supreme Court ruling on the issue. Password cracking and identity theft are more likely to be practical issues for the vast majority of readers, but if you are concerned about legal questions, biometrics are not as protected as passwords.

Whether that’s of much practical value in an era where law enforcement also has access to cracking software from various security firms is a different question. Microsoft’s FAQ has more details on the topic for those who want more information.

Continue reading

Cyberpunked 2077: CDPR ‘Apologizes’ For Releasing Broken Game, Offers Refunds
Cyberpunked 2077: CDPR ‘Apologizes’ For Releasing Broken Game, Offers Refunds

Cyberpunk 2077's PS4 and Xbox One S version is so bad, the company is now offering refunds. We recommend last-gen console gamers take them up on it, rather than waiting.

CD Projekt Red Denies Any Plan to Offer Refunds for Cyberpunk 2077
CD Projekt Red Denies Any Plan to Offer Refunds for Cyberpunk 2077

Turns out, CD Projekt Red didn't actually mean for you to think you could get a refund for Cyberpunk 2077.

Sony Pulls Cyberpunk 2077 and Offers Refunds; CDPR Misled Investors in October
Sony Pulls Cyberpunk 2077 and Offers Refunds; CDPR Misled Investors in October

Sony has announced that it will pull Cyberpunk 2077 from the PlayStation Store and award refunds to anyone who wants them. Meanwhile, events of the past week have proved CD Projekt Red misled investors as to the state of the game when it announced the last three-week delay in October 2020.

New Beagle Board Offers Dual-Core RISC-V, Targets AI Applications
New Beagle Board Offers Dual-Core RISC-V, Targets AI Applications

Budget RISC-V hardware is on the way, and it's a heck of a lot more affordable than anything we've seen in the past, with just enough CPU horsepower that a hobbyist might be able to do something with it. Later models may compete with chips like Raspberry Pi, though likely at higher cost.