Some of you out there might be thinking, “not another article on the end of passwords, we’ve been listening to this for years.” And to your credit, you are spot on. People have been telling a tale of the end of passwords for at least 5 years now, largely becoming a more popular tale with FIDO2 security keys like Yubikey. My argument on seeing a larger drive for adoption of passwordless solutions comes from recent security data in Microsoft Digital Defense Report (2024) and new studies they have been conducting with the user experience into moving into passwordless methods of authentication. We will break down both in this article.
More than 99% of Identity attacks are password attacks
The Digital Defense report highlighted some eye opening stats around the attacks Microsoft is seeing:
- 7,000 password attacks are blocked PER SECOND over the past year
- While token theft and AiTM attacks have grown significantly in both popularity and frequency, they still only represent a tiny fraction of attacks seen in the wild.
Moreover, MFA adoption is still only 41% of Entra sign ins. This one really blows my mind to see. The trend we see here with Microsoft applying more pressure to drive adoption is what I believe is going to take place with passwordless options in the near future given the volume and continual growth in attacks.
Microsoft's UX Research
Last month, Microsoft also came out with the following article, “Convincing a Billion Users to Love Passkeys“
Within the article, they highlight some of the above statistics and also paint a hypothetical journey of passwords no longer being supported:
The statistics they present are encouraging not just to help prevent password based attacks but also help with rising AiTM attacks we are seeing as well. While they don’t site the full size of the audience they experimented with or the user type (i.e. consumer vs business user), there were some encouraging stats around the adoption and use of Passkeys:
Nudging users to sign up with Passkeys:
While these stats seem promising, my largest criticism based on the pictures shown is that it appears they are nudging users to set up a passkey via a mobile sign in experience which doesn’t equate to what we will normally see for our users signing into Microsoft 365. Also, as you will see in the next section, while setting up a portable passkey has gotten a lot easier due to an integration with Microsoft authenticator, it still is a bit clunky experience.
End User Experience (Microsoft Authenticator)
Setup
I am going to show the end user experience in setting up a passkey from Microsoft authenticator as it recently came out of public preview and is the easiest way for a user to set up a portable passkey. There are a couple of things to note here:
- If a user already has a profile set up in Authenticator, they can simply set up a passkey in that profile
- In the video below, I show the user experience for someone who has not set up a profile in Authenticator and has no password. In this case, we issue them a Temporary Access Pass (TAP) to get in and register a passkey. This would be your workflow for a new user onboard.
- Set up of Non-portable passkeys such as leveraging Windows Hello can be baked into a new user onboarding to their workstation and provides for an easier sign-in method than authenticator provides today in my opinion.
Signing In
Signing in is still a bit clunky too as the user has to use the camera on their phone to scan a QR code which will find the passkey in Authenticator to fulfill the sign in request. Even for me, this seems like more of a hassle than getting proactively prompted by authenticator to simply put in a number I see in the screen. For our end-users who already see MFA as an inconvenience, this added step of scanning a QR code is not going to go over well in my opinion.
Other Barriers to adoption/considerations:
Besides the obvious resistance to change and confusion that comes with moving away from passwords, I see the other following situations:
- Hybrid Environment constraints => Legacy and hybrid environments may still need to support passwords for other systems making it harder to adopt
- User onboarding changes => Temporary access passwords will have to be incorporated into user onboarding SOPs which might be a significant change to your MSP and/or the HR/Managers across customer environments who have been traditionally issuing passwords.
- Lost/Replaced Devices=> This constraint is not too much different than what exist today if we have our users on Microsoft authenticator for phones.
I am sure there are plenty of other considerations here but I just wanted to highlight the top ones that come to mind for me.
Conclusion
Will we see the end of passwords in the next few years? While I am optimistic that we would given the existing compromises and attacks we see on a continual rise, I think just like MFA, there are so many constraints to consider where Microsoft cannot simply cut the cord. Specifically around hybrid and legacy environments. The end-user experience will need to continue to evolve for us to see more nature adoption even in modern environments as well. With that said, we should all look to drive users into these methods were possible, especially in net new tenants or tenants that have not even adopted MFA yet. I also think the move to Windows 11 with requirements for a TPM will also help support methods like Windows Hello for many individuals which is a much better user experience than the authenticator app today.