Is Windows 11 another nail in the password’s coffin?
News of Windows 11 offering built-in chip to cloud protection to meet the new security challenges of hybrid work indicates that cyber security is catching up with the improvised work environments and the proliferation of endpoint devices that Covid has brought on.
The move means that Microsoft extending its passwordless sign-in option from enterprise customers to consumers. Although this shift could in the long run secure communication between the computer’s CPU and the cloud for millions of users, computers’ ability to run Microsoft’s latest operating system will depend on their age and the type of processor they use (they will need TPM or Trusted Platform Module).
At the moment, the option for password free login is only for Microsoft accounts, but this will extend to Microsoft apps on iOS, Android, and Windows.
Biometrics – the silver bullet or just some alternative to a username?
Different forms of passwordless authentication have already been around for some time in enterprises. Although the technology exists, upscaling it to millions of users presents major challenges. Military level biometrical authentication does exist, for example, but it’s too expensive for wider adoption. Passwords are also increasingly becoming outdated due to recent shifts in the business and work environments.
Multi-tier supply chains, B2B and B2C relationships involving third parties, as well as the sharp increase in the number of BYOD (bring your own disaster as Jeremy jokingly called it) render the password unfit for the purpose. Also, the popularity of cloud solutions, the extensive use of mobile phones as digital offices and the proliferation of IoT devices have blurred the perimeters of network security and brought about its shift to the application level. The situation is further complicated by the cloud, where applications are distributed across Kubernetes clusters and containers that need to talk to each other across hostile boundaries typically last only for seconds (or five minutes at most).
But, according to Jason, biometrics is not the solution. With today’s technology you can take a picture of someone’s iris or fingerprint and it will have all the information a criminal needs to be able to use it fraudulently. Biometrics is only an announcement of your identity and therefore can only replace usernames, rather than passwords.
PKI or digital certificates, on the other hand, once upscaled, can actually usher in a passwordless future. PKI (Public Key Infrastructure) is used to manage public and private keys and bind them to the entities of organisations or individuals through the issuance of electronic documents called digital certificates. PKI is now routinely used for credit cards, passports and e-commerce and, unlike passports, has encryption and the digital signing capabilities as well.
Advice from the panel
Humans have a natural resistance to change. Therefore, when implementing new authentication systems, it’s key to explain to staff why these changes are necessary. While in 2010 the gospel was not to use a mobile for any form of MFA, today we are told to do just that. As for Windows 11, although it may not offer a seamless user experience on day 1, it marks a significant move towards a more secure future.