Microsoft has already given Windows 10 the option to sign in using codes sent by text message, the Microsoft Authenticator app, Windows Hello and physical security keys that comply with the Fido2 standard. Password spraying isn’t a sophisticated attack, but don’t discount the attackers if you detect one.A reported breach of Citrix, which has potentially exposed data at hundreds of thousands of customer organisations, once again highlights the need for an alternative to passwords.Potentially the biggest personal data breach to date from thousands of sources, some possibly breached as far back as 2008, illustrates the deeply flawed nature of password-based authentication.
A PIN is also useless without the user device because it will not work without the associated TPM.Įnabling passwordless sign-in on Windows 10 devices is the latest initiative by Microsoft in an industry-wide effort to encourage the use of two-factor authentication and to end the world’s reliance on passwords that are easily compromised and typically re-used across multiple accounts, enabling credential stuffing attacks. A PIN, in contrast, is “user-provided entropy” (randomness) that is stored on a device in a trusted platform module (TPM), and therefore immune to compromise in the same way as passwords. Passwords are symmetric keys that have to be stored on a server, and if that server is compromised, so is the password. Microsoft argues that while a PIN may seem very much like a password, it is much more secure. “Enabling passwordless sign-in will switch all Microsoft accounts on your Windows 10 device to modern authentication,” the company said in a blog post. The next major update of the Windows operating system in 2020 will allow users to enable passwordless sign-in and choose whether to use Windows Hello face authentication, fingerprints, or a personal identification number (PIN) to access Microsoft accounts.
0 kommentar(er)
