Microsoft has just made available a tool allowing access to its Outlook account without a password. A method which, contrary to what one might think, is more secure than our old “azerty” or “motdepasse123”
You will soon be able to do without your password to connect to your Outlook mailbox or your OneDrive storage space. Microsoft announced on September 15, 2021, the deployment of a passwordless identification solution.
The dangers of passwords to computer security are fairly well documented. They are often too simple, reused on several services and easily guessed. As a result, hackers have no trouble breaking into accounts that don’t belong to them.
No password: why is it more secure?
To counter this phenomenon as old as the Internet, Microsoft therefore wants to put passwords behind us and offer new ways of identifying ourselves.
Of course, the company offers biometric authentication via Windows Hello (facial recognition or fingerprint reader), but it is also possible to use the Microsoft Authenticator application, a U2F security key, or even a verification code. received by SMS.
It might sound counterintuitive, but getting rid of your passwords is actually one of the best things you can do to secure your accounts on the web. By relying on an external authentication factor, rather than a password, you no longer leave the possibility for malicious Internet users to guess your password, or to steal it from you through phishing campaigns.
Only a connection approval from your phone or from a secondary email address allows you to identify yourself. It gives you more control. The probability that a hacker will also gain access to your phone is not zero, but it is low. This is why two-factor authentication is so widely recommended today.
In short, by eliminating the password, Microsoft is eliminating the human factor (and all its weaknesses) from the identification logic.
A philosophy that has its limits
” Weak passwords are the entry point for the majority of attacks against business and personal accounts “, Explain, a security manager at Microsoft. Microsoft is not alone in wanting to get rid of passwords. During WWDC 2021, Apple presented its Passkeys system which offers to identify oneself via biometric data rather than via a password.
The question then is: what if I get my phone stolen? Well, according to Microsoft’s frequently asked questions, if you can no longer identify yourself using the Authenticator app, you can still use an alternate email address to identify yourself. Or a code by SMS if you have access to your phone number.
Unfortunately, this philosophy also has its limits. If your recovery email address is protected by a password, then the manipulation is of little value. In addition, some devices have been designed around authentication via password. Microsoft writes it in black and white: its Xbox 360 does not support passwordless authentication.
We can applaud the effort made by Microsoft to try to at least secure access to its services. However, as long as all the actors of the web do not synchronize to offer alternative solutions to passwords, there will always be a risk.