Microsoft has very quietly confirmed the death of Windows 10 passwords this week. Microsoft's crypto, identity and authentication team group manager, Yogesh Mehta, has made an announcement that he says puts "the 800 million people who use Windows 10 one step closer to a world without passwords." Whether you love Microsoft or are a Windows 10 hater, I think most people will agree that passwords have long since reached their expiry date. By which I don't just mean in the sense of security policy baseline recommendations either, although Microsoft did also recently announce a change to Windows 10 passwords in that regard as well. Rather I am referring to the whole concept of the password as a secure authentication method.
Mehta confirmed that with the release of the forthcoming Windows 10 May update, Windows Hello becomes a fully FIDO2 certified authenticator. What does that mean, do I hear you ask? The FIDO Alliance, which stands for Fast Identity Online, is an industry body on a mission to solve the problem of passwords through the use of open standards to drive technologies that can securely replace them. FIDO2 is a set of such standards that enable logins backed by strong cryptographic security, and the certification in question applies to the use of Windows Hello for Windows 10 users.
Andrew Shikiar, the CMO of the FIDO Alliance, says that "Microsoft has been a preeminent advocate of FIDO Alliance's mission to move the world beyond passwords." Indeed, it has been making great strides to get rid of passwords since the introduction of Windows Hello, which enables Windows 10 users to sign into devices, back in 2015. So does the arrival of FIDO2 certification for Windows 10 mean that passwords are now dead? Not quite. The death of the password for Window 10 could yet be a lingering and painful one. "We encourage companies and software developers to adopt a strategy for achieving a passwordless future and start today by supporting password alternatives such as Windows Hello," Mehta says, before admitting that to arrive in this future requires "interoperable solutions that work across all industry platforms and browsers." I say painful, by the way, as there will no doubt be no shortage of stories about password security fails until the final nail is hammered into this authentication coffin.
Jake Moore, a security specialist at ESET, is welcoming of the news. "Considering the number of data breaches we have witnessed in the past few months," he says, "it is great to see companies taking the steps required to protect their users." However, he warns that passwords will "still be a feature in the background," and so users must be pushed to "adopt better password management and multi-factor authentication to protect their data in case their information gets into the wrong hands."