As of September, Microsoft users no longer have to rely on passwords when logging in to their accounts. The Redmond-based tech giant noted that users could instead use its authenticator app, Windows Hello; a physical security key or a verification code sent via SMS-based text message to sign in to Outlook, OneDrive and other Microsoft services. With this shift, passwordless authentication is going mainstream — as it should.

What’s Wrong With the Password?

Microsoft’s announcement comes in response to some persistent issues surrounding the use of the password. Part of the problem is that users now need to remember so many passwords. As reported by, digital users managed an average of 100 passwords each in 2020. That’s up 25% from the 70-80 passwords they kept track of a year earlier. Such an increase could reflect users’ increased reliance on digital services in response to the events of 2020.

If users need to remember so many passwords, they want to make it as simple as possible for themselves. Without passwordless authentication, that oftentimes comes at the expense of password security. For instance, a survey from Specops Software found that 29.03% said that they didn’t use more than one password for their accounts, meaning they reused the same password across their entire digital presence. Just 22.58% of users stated that they used passwords that were completely different from one another. The remainder revealed that they employed slight variations of the same password for their accounts.

A third of respondents didn’t think it was that serious to just have one password for all their accounts. More than a tenth of them hadn’t ever even thought about it.

Those findings are consistent with another 2020 survey covered by Threatpost. In that study, two-thirds of users said that they “always” or “mostly” used either the same password or variations of a single password in 2019. All this despite 91% of respondents knowing password reuse was a risk.

Passwords’ Impact on Organizations

Users’ weak password habits carry security implications for their employers. In the words of Microsoft in its post about passwordless authentication, malicious actors can use a victim’s social media profiles as a “head start on logging into their personal accounts.” Social media provides a means of finding victims and targeting their profiles with automated password spray attacks or phishing campaigns. At the same time, malicious actors can use social media to scope out their victims and gather open-source intelligence (OSINT), which they can use to target some of their victims’ other accounts across the web.

This helps to explain why compromised passwords are such a pervasive attack technique. In its Data Breach Investigations Report (DBIR) 2020, for example, Verizon Enterprise observed that 80% of data breaches involving threat actors used either brute-force techniques or lost/stolen credentials. Those tactics appeared across a variety of assets but were most prevalent on web apps.

Passwords affect organizations in ways other than causing data breaches, too. Infosecurity Magazine noted that many large organizations allocate over £700,000 ($945,000) each year for password-related support costs, with each password reset costing an average of £50 ($68). Such a price tag can pose a financial burden to small- and medium-sized businesses over the long term — especially when they’re already struggling with costs related to other issues, such as endpoint and mobile application management.

Not only that, but all those password requests can make people less productive. Employees can’t do their jobs properly if they need to constantly call IT for password support. This can hurt employers even further by delaying critical projects that advance their business interests.

Passwordless Authentication for the Future

The problems discussed above highlight the need for organizations to embrace passwordless authentication in the future. They can rely on some key technologies in the process. Looking back at Microsoft’s announcement, for instance, the tech giant mentioned an authentication app, a security key and an SMS-based verification code. All those are examples of multi-factor authentication (MFA), which can help to safeguard access to an account. That’s true even in the event that a phisher or targeted attacker manages to compromise an account’s credentials.

Many accounts and applications come with built-in tools for enabling MFA. Even so, there are some vendors who offer other solutions for locking down customers’ mission-critical assets.

MFA Isn’t a Cure-All, Either

MFA is not a cure-all solution, however. There are at least two reasons why. First, malicious actors can launch attack campaigns designed to circumvent MFA. These efforts are especially evident with SMS-based MFA schemes. For instance, attackers are known to conduct SIM swapping campaigns where they use social engineering and/or other means to steal access to a victim’s phone number. They can then use that access to intercept SMS-based verification codes needed for accessing a victim’s accounts. Along these same lines, malicious actors can use recycled numbers to obtain the verification codes of users who forget to decouple their old phone number from their web accounts’ MFA schemes when migrating to a new device and phone number.

Second, MFA doesn’t help for services that haven’t yet started using passwordless authentication. Organizations can remedy that situation by equipping all their employees with password managers, utilities that can remember users’ passwords for them. They can also consider using single sign-on (SSO) so that users need to remember only one set of credentials to access their work-related accounts and resources.

The Future Needs Passwordless Authentication

Passwords were suitable for authentication when users had fewer accounts, but things have changed. Nowadays, everyone’s digital footprint is larger, making passwords more of a burden than a security necessity.

Fortunately, organizations don’t need to rely on this outdated form of authentication for their account security anymore. Instead, they can turn to MFA, SSO and other means of passwordless authentication. It’ll save their users frustration and help their jobs to flow more seamlessly. At the same time, it’ll help to spare IT teams from needing to fulfill countless password reset requests — all while cutting down on the likelihood of a breach.

More from Identity & Access

“Authorized” to break in: Adversaries use valid credentials to compromise cloud environments

4 min read - Overprivileged plaintext credentials left on display in 33% of X-Force adversary simulations Adversaries are constantly seeking to improve their productivity margins, but new data from IBM X-Force suggests they aren’t exclusively leaning on sophistication to do so. Simple yet reliable tactics that offer ease of use and often direct access to privileged environments are still heavily relied upon. Today X-Force released the 2023 Cloud Threat Landscape Report, detailing common trends and top threats observed against cloud environments over the past…

Artificial intelligence threats in identity management

4 min read - The 2023 Identity Security Threat Landscape Report from CyberArk identified some valuable insights. 2,300 security professionals surveyed responded with some sobering figures: 68% are concerned about insider threats from employee layoffs and churn 99% expect some type of identity compromise driven by financial cutbacks, geopolitical factors, cloud applications and hybrid work environments 74% are concerned about confidential data loss through employees, ex-employees and third-party vendors. Additionally, many feel digital identity proliferation is on the rise and the attack surface is…

X-Force certified containment: Responding to AD CS attacks

6 min read - This post was made possible through the contributions of Joseph Spero and Thanassis Diogos. In June 2023, IBM Security X-Force responded to an incident where a client had received alerts from their security tooling regarding potential malicious activity originating from a system within their network targeting a domain controller. X-Force analysis revealed that an attacker gained access to the client network through a VPN connection using a third-party IT management account. The IT management account had multi-factor authentication (MFA) disabled…

CISA, NSA issue new IAM best practice guidelines

4 min read - The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) recently released a new 31-page document outlining best practices for identity and access management (IAM) administrators. As the industry increasingly moves towards cloud and hybrid computing environments, managing the complexities of digital identities can be challenging. Nonetheless, the importance of IAM cannot be overstated in today's world, where data security is more critical than ever. Meanwhile, IAM itself can be a source of vulnerability if not implemented…