Effective Two-Factor Authentication (2FA)
What do you mean, “passwordless”?
My company recently introduced using Microsoft’s passwordless offering. When I think about what that means in practice, it simply allows you to use your 2FA method as your main login method. There isn’t a layer one. Only layer two. In that sense, “passwordless” isn’t really using 2FA or MFA (multi-factor authentication).
According to NIST, 2FA is defined as
“An authentication system that requires more than one distinct authentication factor for successful authentication. Multifactor authentication can be performed using a multifactor authenticator or by a combination of authenticators that provide different factors. The three authentication factors are something you know, something you have, and something you are.”
I want to highlight that last sentence: “Something you know, something you have, and something you are”. 2FA and MFA would require at least two of those three options. When we think about the typical password or passcode, those are things that you know. When we think about authenticating using our phones via Authenticator apps or a Yubikey, those are things you have. Lastly, using fingerprints or other biophysical forms of authentication are things that you are.
When logging into my work accounts that are now passwordless, it seems as though it has simply just become asking for one thing again. It’s only asking for something I have (a 6 digit passcode or a Yubikey insert). With the Yubikey however, I have it setup such that it does ask me for something that I know — a PIN. Thus, I feel more secure using the Yubikey.
Microsoft’s current explanation for their passwordless decision is that,
“Nobody likes passwords. They’re inconvenient. They’re a prime target for attacks. Yet for years they’ve been the most important layer of security for everything in our digital lives — from email to bank accounts, shopping carts to video games.”
I feel that even if passwords can get stolen via hacking, at least 2FA means that I can use my password (something I know) and my phone or a Yubikey (something I have) to login. Perhaps, this may be a cost-related decision. It might be expensive to keep passwords and reset passwords. It may be a lot easier to expect users to have a phone or an email which can receive an Authentication code or check-in notification. However, even phones can get stolen. That’s definitely a more rare situation, but I believe that 2FA or MFA can still provide a lot of value.
I don’t understand how Microsoft decided to implement passwordless logins and why it’s necessarily more secure to be passwordless, but I hope a more rigorous explanation (outside of hackers can hack passwords and people forget them) is provided which can explain the security. Use a password manager if you’re going to forget your secure passwords. There are free ones out there.
Microsoft Passwordless Resources
