2022 Predictions #4 - Password-Less Authentication Fails Long Term Without MFA

2022 Predictions #4 - Password-Less Authentication Fails Long Term Without MFA

It’s official. Windows has gone password-less! While we celebrate the move away from passwords alone for digital validation, we also believe the continued current focus of single-factor authentication for Windows logins simply repeats the mistakes from history. Windows 10 and 11 will now allow you to set up completely password-less authentication, using options like Hello (Microsoft’s biometrics), a Fido hardware token, or an email with a one-time password (OTP).

Though we commend Microsoft for making this bold move, we believe all single-factor authentication mechanisms are the wrong choice and repeat password mistakes of old. Biometrics are not a magic pill that’s impossible to defeat – in fact, researchers and attackers have repeatedly defeated various biometric mechanisms. Sure, the technology is getting better, but attack techniques evolve too (especially in a world of social media, photogrammetry and 3D printing). In general, hardware tokens are strong single factor option too, but the RSA breach proved that they are not undefeatable either. And frankly, clear text emails with an OTP are simply a bad idea.

The only strong solution to digital identify validation is multi-factor authentication (MFA). In our opinion, Microsoft (and others) could have truly solved this problem by making MFA mandatory and easy in Windows. You can still use Hello as one easy factor of authentication, but organizations should force users to pair it with another, like a push approval to your mobile phone that’s sent over an encrypted channel (no text or clear email).

Our prediction is that Windows password-less authentication will take off in 2022, but we expect hackers and researcher to find ways to bypass it, proving we didn’t learn from the lessons of the past.

See more of WatchGuard's 2022 Cybersecurity Predictions here:
https://www.watchguard.com/wgrd-resource-center/cyber-security-predictions