It's no secret that passwords -- and password-based authentication -- have plagued security teams for decades....
In fact, user account hijacking has been one of the most prevalent issues with SaaS for quite some time.
In 2014, cloud access security broker (CASB) vendor Adallom -- which has since been acquired by Microsoft -- released some startling statistics about account security within SaaS applications. Of the accounts, 11% were zombies that had never been used, and 80% of companies evaluated had at least one cloud account that had not been disabled after an employee left the organization. Now, imagine if those accounts were only protected by passwords.
That exact scenario happened in 2014 with vendor Code Spaces, which failed to protect its cloud administration console with more than a password. As a result, a hacker shut the console down completely.
Fast forward to the present and things may finally be shifting in a better direction. At its Ignite 2018 conference, Microsoft made a bold claim that the end of the password is upon us, and that it is in large part because the company is expanding the Microsoft Authenticator app to work with tens of thousands of Azure AD-connected cloud apps.
The Microsoft Authenticator app
The Microsoft Authenticator app is a tool that was released several years ago that unified both on-premises and Azure Active Directory (AD) logins for users to access cloud apps connected to Azure AD and Microsoft accounts. In 2017, Microsoft announced biometric support for Microsoft accounts, which could eliminate password-based logins, and the recent Ignite announcement extended this capability to Azure AD-enabled cloud applications, too.
In essence, this shifts user authentication away from passwords to a multifactor model that employs a mobile device plus biometrics -- facial recognition or fingerprints -- or a PIN. Passwords are still supported if users want them or if an application requires them in some circumstances. In these cases, Authenticator can be configured with a two-step verification method, where an additional entry from the app is needed once a username and password are provided to the SaaS or Microsoft service.
What it means
There are many implications of Microsoft's announcement in the cloud security world. Often, end-user security controls are the weakest, and people most often use their mobile devices to connect to SaaS applications like Office 365, Box and others.
By potentially removing passwords from the security equation, Microsoft is enabling a much more secure method to connect users via multifactor authentication, while at the same time reducing the perennial issue of password reuse across numerous sites and services. Password reuse often leads to a single password attack or compromise that can lead to other breaches in different places.
While having a single application that manages authentication and access control sounds like a good plan, it also presents the possibility of a single point of failure if the app has vulnerabilities or somehow exposes credential data due to configuration errors or other flaws or different vendor products and services interoperating.
Most of the news here is good, however, especially if other vendors take note and work to integrate more effectively with cloud-based and on-premises directory services, federation and single sign-on services, and all manner of cloud service providers and SaaS offerings.
Currently, Microsoft is limiting the use of Authenticator to very Microsoft-centric scenarios -- namely Microsoft cloud services and those that can integrate with Azure AD. Other cloud services may not be able to integrate currently, and there are thousands of these in use that could force users to implement and maintain multiple authentication apps and strategies. This is likely a bad strategy that could lead to annoyance and performance issues at best, and confusion and accidental account exposure at worst. All things said, though, getting passwords out of our lives can only be a good thing in the long run.