Skip to main content

Windows passwordless authentication will fail, say researchers

Ein Passworteingabefeld mit 9 Sternchen
(Image credit: (stock.adobe.com © jamdesign))

A completely passwordless Microsoft experience will fail as the company is repeating the same mistakes from the past, cybersecurity researchers from WatchGuard Threat Lab have said.

The company says that with Windows 11, Microsoft is pushing for a completely passwordless authentication experience in which biometrics, hardware tokens and security keys, or an email with a one-time password (OTP) push traditional passwords to the sidelines.

However, WatchGuard says Microsoft is making the same mistake it always did, by not mandating a multi-factor authentication (MFA) approach. All of these approaches can be used solo, and that’s a problem, as the researchers claim all of the abovementioned methods have been compromised by either researchers or cybercriminals in the past already. 

Insurance companies to mandate better security practices

“Microsoft could have truly solved the digital identify validation problem by making MFA mandatory and easy to use in Windows,” says Corey Nachreiner, CSO at WatchGuard Technologies. “Organizations should force users to pair two methods of authentication, such as biometrics or tokens with a push approval to your mobile phone sent over an encrypted channel.”

Still, insurance companies will make sure (pun definitely intended) MFA takes off, by mandating better cyber defenses to reduce “soaring” premiums.

It’s only a matter of time before cybersecurity insurers realize that payout costs to cover ransomware threats rose dramatically. As a result, not only will they demand higher premiums, but will also actively scan and audit the security of clients before providing any cover.

“In 2022, if you don’t have the proper protections in place, including MFA, you may not get the cyber insurance you need at the price you would like,” added Nachreiner.

WatchGuard also reminds that a recent S&P Global report stated how cyber insurers loss ratio rose for the third consecutive year in 2020, by more than 72%. As a result, the premiums for standalone cyber insurance policies spiked 28.6% last year, hitting a total of $1.62 billion USD.

Weak passwords are one of the most common ways systems get breached. Users are advised to create unique passwords for all the services they use, and store them in a password manager, instead of writing them down on a piece of paper and leaving it on a desk.