In their latest news blog Microsoft claim that the growing problem of passwords are the users and also that it’s time to get rid of them completely. Sure enough the author then builds a rather strong case against the classic password with ever-changing password polices and the fact that people tend to ignore them. And while it is absolutely true that in most cases the user is the biggest security problem with passwords, it stands to reason that making him the password isn’t doing well either. At least not yet.
That is exactly where Microsofts post is heading: Windows Hello and the principle to use the users biometrics, in this case the face, as “the password”. If you haven’t heard of WIndows Hello yet: It’s already implemented in Windows 10 and lets you sign in by just looking at the camera. But for that to work you need special cameras that can take infrared images.
Much like Apple with their Face ID Microsoft seems to think that facial recognition is the way to go to build more secure and user-friendly devices. But also much like Apple they already had to take some heavy blows from security experts. In spite of recent outrages about Face ID logging in people who look similar Windows Hello hasn’t been getting that much attention when it comes to its problems.
While it took special masks to fool Face ID a laser printout was enough to bypass Windows Hello. So it stands to reason that this technology might still need some tweaking to be more secure than a simple password. Otherwise someone with a modified picture of you from Facebook could unlock your devices and even though passwords and the people using them have their faults the percentage of them posing their passwords on Facebook is rather small.
To come back to the initial question: Is it time to kill the password? I don’t think so. But given enough time it might be. Until then there are alway better ways to protect your privacy if need be: Two factor authentication for example is one of the things that comes to mind as well as special hardware tokens.