Microsoft Goes Passwordless for Account Holders on All Products
Microsoft users will be able to completely remove their passwords from their accounts.
![smartphone verification smartphone verification](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/blt29f2c3466ed4ac15/652444af4c3b7b26ccb8949f/Smartphone-authentication.jpg?width=700&auto=webp&quality=80&disable=upscale)
Shutterstock
Joseph Carson is chief security scientist and advisory CISO at ThycoticCentrify. He said passwordless is sometimes a misleading term.
“In reality, it is all about [fewer] password interactions and helping move passwords in the background, reducing both password pain and cyber fatigue,” he said. “Authentication is still happening; however, it is becoming more contextual.”
We are not really living in a passwordless world, Carson said.
“Consider it more of a less-password-interaction world as passwords will continue to exist,” he said. “It is about how users will interact with them less moving forward.”
Tyler Shields is JupiterOne‘s CMO. He said security has always been a balance of ease of use and security.
“The cybersecurity vendor community must drive toward creating easy-to-use cybersecurity experiences that deliver an acceptable level of security to the technologies that the consumers demand,” he said. “A good example of this is the move to single sign-on and passwordless authentication. Users have failed to maintain proper passwords for decades. That will never change. So innovation must build an easy-to-use alternative that provides appropriate security with a much better user experience. Enterprises have to find the right balance of technology innovation alongside security for traditional models.”
Passwords are the most misused line of defense in cybersecurity, Shields said.
“Words are only better than randomized passwords because they can be easily remembered, instead of being written down,” he said. “In tradeoff, the password itself is simplified and easier to guess. My recommendation is to get rid of passwords completely.”
Mohit Tiwari is co-founder and CEO of Symmetry Systems, a data store and object security (DSOS) provider.
“Passwords are one of the easily compromised components within a company,” he said. “To mitigate risk, organizations should either establish a tight password policy or switch to a passwordless model, much like Microsoft is doing. The latter will be far more efficient.”
TTEC, a customer experience technology and services provider, has been hit by ransomware, according to Krebs on Security. An internal TTEC memo shared with Krebs discussed a “widespread outage” that began last Sunday.
TTEC has more than 60,000 employees, most of whom work from home providing support calls for companies such as Bank of America, Best Buy, Credit Karma, Dish Network, Kaiser Permanente, USAA and Verizon.
When contacted, TTEC sent us a statement about the attack:
“We recently became aware of a cybersecurity incident that has affected certain TTEC systems. Although as a result of the incident, some of our data was encrypted and business activities at several facilities have been temporarily disrupted, the company continues to serve its global clients. TTEC immediately activated its information security incident response business continuity protocols, isolated the systems involved, and took other appropriate measures to contain the incident. We are now in the process of carefully and deliberately restoring the systems that have been involved.”
TTEC also launched an investigation to determine the potential impacts.
“In serving our clients, TTEC generally does not maintain our clients’ data, and the investigation to date has not identified compromise to clients’ data,” it said. “That investigation is ongoing and we will take additional action, as appropriate, based on the investigation’s results. This is all the information we have to share until our investigation is complete.”
Ron Bradley is vice president of Shared Assessments. He said this situation, as with many others, underscores the importance of supplier due diligence and continuous monitoring.
“This is especially true with the expansion of the work-from-anywhere model many companies are adopting due to the global health crisis,” he said. “Companies need to make every effort to reduce their blast radius to prevent such widespread and impactful attacks.”
Training and awareness are key to help prevent these types of attacks, Bradley said. Unfortunately, in most cases the human element is the most vulnerable element.
Saryu Nayyar is CEO of Gurucul. She said ransomware has become the favorite flavor of the year, with just about every reported attack requiring a payment to get the organization back on track.
“Known ransoms are likely to total in the tens of millions of dollars this year, with no end in sight,” she said. “To combat ransomware, organizations have to be vigilant in patching systems, reaching out to vendors and open-source projects to stay informed on security issues, using traditional endpoint security detection systems, and monitoring the activity on their networks and applications for things that don’t follow the usual patterns. These require multiple security tools, along with a way of tying all of the data together to produce a complete and clear picture of security risks and remediation.”
Cybercriminals are constantly attempting to exploit vulnerabilities that affect as many people as possible to maximize their profit opportunities. According to Atlas VPN, Google and Microsoft accumulated the most vulnerabilities in the first half of 2021.
Although not all exposures can cause critical damage, hackers could exploit some of them for severe attacks.
Google had 547 accumulated vulnerabilities throughout the first half of 2021. Exploiting Google products like Chrome is popular among cybercriminals.
Next up, the second most exposures were found in Microsoft products at 432. State-sponsored threat actors from China abused Microsoft Exchange Server vulnerabilities to carry out ransomware attacks.
Oracle registered 316 total vulnerabilities in the first six months of the year. The exploits are usually found in Oracle WebLogic Server, which functions as a platform for developing, deploying and running enterprise Java-based applications.
Cisco accumulated 200 vulnerabilities. Lastly, SAP, the producer of software for managing business processes, had 118 exploits in total.
William Sword is cybersecurity writer and researcher at Atlas VPN.
“Exploiting vulnerabilities in Google or Microsoft products allow cybercriminals to probe millions of systems,” he said. “While the tech giants are doing a fair job of keeping up with exploits and constantly updating their software, people and organizations need to follow suit and keep up with the updates to prevent further exploitation.”
Exploits that can be turned into a severe attack get more attention from cybercriminals and companies themselves to fix the flaw as soon as possible.
Digital Shadows this week unveiled a new feature within its SearchLight solution, SocialMonitor, that allows organizations to identify and take down fake social media accounts registered against their key executives.
Cybercriminals routinely impersonate companies and key personnel on social media, Digital Shadows said. Motivations vary, but can include social engineering attacks such as business email compromise (BEC) or to redirect users to malicious sites carrying malware. However, there can also be malicious attempts to spread disinformation about a company or its brands. Customer service professionals and company handles are also targeted by cybercriminals.
SocialMonitor adds targeted human collection to SearchLight’s existing broad automated coverage. Uers will receive “impersonating employee profile” alerts which will be pre-vetted by its analyst team. This ensures organizations only receive relevant notifications of concern.
Russell Bentley is Digital Shadows’ vice president of product.
“Fake profiles on social media are rife and frequently used to spread disinformation or redirect users to scams or malware,” he said. “Social media providers have taken steps such as providing a verified profile checkmark and removing fake accounts. However, there is often too long a window of opportunity before action can be taken. SocialMonitor provides organizations with a proactive defense so that offending profiles can be taken down quickly, protecting their customers and corporate reputation.”
Digital Shadows this week unveiled a new feature within its SearchLight solution, SocialMonitor, that allows organizations to identify and take down fake social media accounts registered against their key executives.
Cybercriminals routinely impersonate companies and key personnel on social media, Digital Shadows said. Motivations vary, but can include social engineering attacks such as business email compromise (BEC) or to redirect users to malicious sites carrying malware. However, there can also be malicious attempts to spread disinformation about a company or its brands. Customer service professionals and company handles are also targeted by cybercriminals.
SocialMonitor adds targeted human collection to SearchLight’s existing broad automated coverage. Uers will receive “impersonating employee profile” alerts which will be pre-vetted by its analyst team. This ensures organizations only receive relevant notifications of concern.
Russell Bentley is Digital Shadows’ vice president of product.
“Fake profiles on social media are rife and frequently used to spread disinformation or redirect users to scams or malware,” he said. “Social media providers have taken steps such as providing a verified profile checkmark and removing fake accounts. However, there is often too long a window of opportunity before action can be taken. SocialMonitor provides organizations with a proactive defense so that offending profiles can be taken down quickly, protecting their customers and corporate reputation.”
Tech giant Microsoft is going passwordless, meaning users can completely remove their password from Microsoft accounts.
Passwordless has been a hot topic of conversation as cybercriminals have long exploited weak or stolen passwords to gain access to accounts. Going passwordless means reducing or eliminating the use of passwords by requiring one or more alternative authentication factors when customers and/or employees log in to apps or systems.
In March, Microsoft made passwordless sign-in generally available for commercial users. Now Microsoft users can completely remove the password from their account. Instead, they can use the Microsoft Authenticator app, Windows Hello, a security key, or a verification code sent to their phone or email to sign in apps and services such as Microsoft Outlook, Microsoft OneDrive, Microsoft Family Safety, and more. Microsoft will roll out the feature over the coming weeks.
Weak Passwords Major Entry Point for Cybercriminals
In her blog, Vasu Jakkal, Microsoft‘s corporate vice president of security, compliance and identity, said passwords are too vulnerable.
Microsoft’s Vasu Jakkal
“Weak passwords are the entry point for the majority of attacks across enterprise and consumer accounts,” she said. “There are a whopping 579 password attacks every second. That’s 18 billion every year.”
Passwords are vulnerable for two big reasons, Jakkal said. One, creating those that are both secure enough and memorable enough is a challenge. Passwords are “incredibly inconvenient” to create, remember and manage across all accounts.
Two, forgetting a password can be painful, so people try to create passwords they can remember, relying on known and personal words and phrases, she said.
“Unfortunately, while such passwords may be easier to remember, they are also easier for a hacker to guess,” Jakkal said. “A quick look at someone’s social media can give any hacker a head start on logging into their personal accounts. Once that password and email combination has been compromised, it’s often sold on the dark web for use in any number of attacks.”
Hackers can also use automated password spraying to try many possibilities quickly, she said. They can use phishing to trick you into putting your credentials into a fake website. These tactics are relatively unsophisticated and have been in play for decades, but they continue to work because passwords continue to be created by humans.
Scroll through our slideshove above for cybersecurity experts’ thoughts on Microsoft going passwordless; plus, other cybersecurity news.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author(s)
You May Also Like