New warning as Microsoft confirms password deletion for 1 billion users

“The age of passwords is coming to an end,” Microsoft has confirmed, warning its billions of users that “bad actors know it, which is why they’re desperately ramping up password-related attacks while they can.” And while the company “blocks 7,000 password attacks per second… almost double from a year ago,” that’s not nearly enough. “Our ultimate goal.” says, “is to remove passwords entirely,”

Those billion passwords will be replaced with passkeys, which “provide an improved user experience by allowing you to sign in faster with your face, fingerprint or PIN… They are also not susceptible to the same types of attacks like passwords. Plus, passkeys eliminate forgotten passwords and one-time codes and reduce support calls.

But it’s not all smooth sailing. “Passkeys are the future of authentication, but widespread adoption faces challenges,” the UK government’s cybersecurity authority has just warned, outlining “significant bumps in the road ahead” before Microsoft’s vision of a passwordless future become reality.

ForbesChange iPhone, Android Location Settings Now—Don’t Ignore NSA’s Warningfrom Zach Doffman

The use of passkeys appears to be binary – those who use them are likely to use them extensively, while those who don’t still won’t get on board at all. “In the two years since the passkeys were announced and made available for consumer use, says the FIDO Alliance, “awareness of the switches has increased by 50%… Most of those who are familiar with the passkeys are enable the technology to identify itself.”

The UK’s National Cyber ​​Security Center (NCSC) says that “the majority of cyber harm affecting citizens occurs through the abuse of legitimate credentials. That is, the attackers somehow obtained the victim’s password – either by phishing or by exploiting the fact that passwords are weak or reused… Passwords are simply not a good way to authenticate users on the modern Internet.”

But getting from where they are today to ubiquitous deployment — enabling Microsoft and others to wipe out billions of basic, reused, and breakable passwords — takes work. The NCSC outlines ten critical issues that prevent such mass adoption.

1. “Inconsistent Support and Experiences: There are currently multiple passkey ‘flavors’ that providers and users must understand… This complicates things for websites that want to provide effective password support, but also want to know how the password is being handled by the user device
2. Device loss scenarios: Users are mostly unsure of the implications for their keys if they lose or break their device, as it appears that their device has all the ability to authenticate. To trust passkeys as a password replacement, users need to be prepared and know what to do in the event of losing one – or all – of their devices.
3. Migration issues: Passkeys are ‘long-lived’ because users can’t forget them or create one that’s weak, so if they’re done well, there should be no need to restore or update them. As a result, there is an increased likelihood that at some point a user will want to move their passkeys to a different vendor or platform’s Credential Manager. This is currently challenging to do.
4. Account recovery processes: For passkey-protected accounts, potential attackers are now more likely to focus on finding weaknesses in account recovery and reset requests – whether by email, phone or chat – and turn to phishing for recovery keys. These processes must be sufficiently hardened by providers to prevent trivial abuse by these attackers and to preserve the security benefits of using keys.
5. Platform differences: Different platforms use different terms to describe the login process with passkeys, which can confuse users and lead them to use passkeys. Vendors will need to work together and with the FIDO Alliance to agree on consistent, accessible language and avoid working in silos. This will help users to have confidence in what they are using in their digital life.
6. Suitability for all scenarios: Using passkeys assumes that the user has exclusive, private access to an account or device for preparing and accessing the Credential Manager that holds their passkeys. However, this is not always the case, such as in households where many people use the same phone
7. Implementation complexity: It is challenging to provide passkeys to users for services that currently use multiple domains for authentication (such as account.example.co.uk AND account.example.com) and users may need multiple passkeys to log in to what appears to be the same service.
8. Inconsistent usage: There is no consensus on when to use passkeys in a login journey or how much security each ‘flavor’ of key provides. As a result, some websites choose to require a key and an additional factor, while others allow key-only logins.
9. Uncertainty about multifactor status: Website owners and regulators have not yet reached a consensus on whether all ‘flavors’ of passkey count as ‘multifactor’ (or equivalent) when the user is authenticated, typically with local device biometrics or a PIN.
10. Uncertainty about synchronization and sharing: For critical and sensitive accounts where verifiable user identity is required, there is uncertainty as to whether passkeys that can be synchronized and shared are secure enough by themselves.”

ForbesNew Hacking Disaster Warning for Gmail, Outlook, Apple Mail Usersfrom Zach Doffman

The good news is that this is all being worked on, coordinated by FIDO and others and driven by technology providers and the financial and other secure-by-design industries, all seeking to finally end wound of very light attacks. “Achieving this vision,” the NCSC says, “needs an intensified effort from all parties and greater collaboration to unify the vision and prevent it from becoming fragmented to the extent that users become disengaged.”

That’s why Microsoft says it’s slowly moving toward its goal, “understand[ing] where and when to invite users to register passkeys… We conducted extensive user studies and tested every pixel on our push screen to answer the question, “What would motivate a user to stop what are you doing and registering a passkey?”

The challenge is that for switches to solve the worsening threat landscape now being fueled by new AI-powered attacks, it has to go all the way. “While key registration is an important step,” says Microsoft, “it’s just the beginning. Even if we force more than a billion of our users to register and use passkeys, if a user has both a password and a password, and both give access to an account, the account is still at risk for phishing. Our ultimate goal is to remove passwords entirely and have accounts that only support phishing-resistant credentials.”