1 Moving Away from Passwords2 Password Breach Methods
This is not just Microsoft talking up its own account protection. In fact, the company says the 99.9% blocking ability will work on any website or service where multi-factor authentication is supported. So, the message from Microsoft is clear: If MFA is available, use it. This could be advanced biometrics like eye or fingerprint sensors, added security questions, SMS-based one-time code passwords, and more. “Your password doesn’t matter, but MFA does! Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA,” said Alex Weinert, Group Program Manager for Identity Security and Protection at Microsoft.
Moving Away from Passwords
Microsoft has doubled down on its password-less future. In a recent Windows 10 20H1 preview build, the company introduced passwordless settings. Insiders can head to Settings > Accounts > Sign-in to see the new options, which allows users to switch Microsoft Account logins to Fingerprint, PIN only, or Windows Hello Face recognition. Weinert says passwords are no longer viable protection, no matter how they are used. Even advising users to “never use a password that has ever been seen in a breach” or “use really long passwords” does not really prevent attack these days. Weinert was part of the Microsoft team that handled password bans following a Microsoft Account and Azure AD breach in 2016. Following this breach, Microsoft Account holders trying to use a password from before the attack were told to change their credentials. However, Weinert says even this mitigation didn’t prevent hackers compromising accounts.
Password Breach Methods
He says this is because passwords don’t act as a blocker anymore, no matter how complicated they are. Weinert points to the following practices used by hackers to bypass passwords: