What Does it Mean To Go Passwordless? Just Ask Microsoft

a finger pressing a fingerprint on a touch screen

Passwords have long been a staple against security threats, but the password could soon be a thing of the past. Microsoft is advancing toward this new concept, but what does it mean for your business?

Let’s look and see what going “passwordless” can mean for an account’s security.

How Does Passwordless Even Work?

Passwords were the standard for quite some time, but compared to other security measures, they are less secure against threats than you might think. A complex password may have once been enough, but this is no longer the case. Password-cracking software and the massive increase in computing power means that hackers can discover passwords in no time, and weaker authentication methods are inferior compared to other available options. Add in the fact that most users have no clue how to make a secure password, and you have a recipe for disaster.

Multi-factor authentication is one of the best ways you can secure an account. Instead of using one only key to unlock your account, you use multiple factors to open it. For example, you might use a biometric like a face, fingerprint, or iris scan, or even a secondary authentication code sent to your mobile device.

As for your Microsoft account, Microsoft is thinking about ditching the password in its entirety, giving users the option to sign in using the Microsoft Authenticator application, Windows Hello, or codes sent to your email or smartphone. Here are the steps to go passwordless for your Microsoft account:

  • Download the Microsoft Authenticator application on your smart device
  • Link your application to your account
  • Go to accounts.microsoft.com and look for the Security tab
  • Under Additional Security, turn on Passwordless Account
  • Follow the prompts displayed, and you should be good to go!

The fact that you can go passwordless for your Microsoft account is all well and good, but whether you should or not will likely be up to personal preference. As for your business, we want to emphasize that you should move toward multi-factor authentication wherever you possibly can. It’s that much more difficult for a hacker to crack an account.

AE Technology Group wants to help your company implement multi-factor authentication and work toward greater network security. To learn more, reach out to us at (516) 536-5006.

It’s Time to Revisit Your Password Best Practices

a close up of a computer keyboard with the word password on it

When a hacker tries to access one of your accounts, the first challenge they must overcome is the password. This is why industry professionals always encourage you to create them with security in mind. The latest guidelines issued by the National Institute of Standards and Technology, or NIST, are not quite conventional or traditional, but they do give valuable insights into how password best practices.

What is the NIST?

The NIST is the authority on all things password-creation, and they are no strangers to issuing various best practices. While these practices do shift over time, due to the unfortunate side-effect of threats adapting to security standards, their advice is trusted and should absolutely be considered by all. Please see below for the recent update on password best practices.

The New Guidelines

Many organizations and Federal agencies have adopted these guidelines. Here are the latest steps to take when building a secure password.

Length Over Complexity

Most security professionals have advocated for password complexity over the past several years, but the guidelines issued by NIST disagree. NIST suggests that the longer the password, the harder it is to decrypt, and they even go so far as to say that complex passwords with numbers, symbols, and upper and lower-case letters make passwords even less secure.

The reasoning for this is that the user might make passwords too complicated, leading them to forget them entirely, so when it comes time to replace the password, they will add a “1” or an exclamation point at the end. This makes them easier to predict should the original password be stolen. Users might also be tempted to use the same password for multiple accounts, which is a whole other issue that certainly does not aid in security.

No More Password Resets

Many organizations require their staff to periodically change their passwords, mostly every month or every few months. The idea here is to preemptively change passwords on the off chance that the old passwords have been compromised. Trying to use the same old password multiple times would then lock the hacker out of the account, as the password has since been changed. While this has been an accepted best practice for some time, NIST recommends that this practice be put to the wayside, as it is actually counterproductive to account security.

The reasoning behind this determination is that people will not be as careful with the password creation process if they are always making new ones. Plus, when people do change their passwords, they will use the same pattern to remember them. This means that passwords could potentially be compromised even if they have been changed, as a hacker could recognize the pattern and use it against the user.

Make Passwords Easy to Use

Some network administrators worry that the removal of certain quality-of-life features such as showing a password while the user types it or allowing for copy/paste will make the password more likely to be compromised. The truth is the opposite; ease of use does not compromise security, as people are more likely to stick to established password protocol if you make it easier for them to do so.

Don’t Give Out Password Hints

At the same time, you don’t want to make things too easy for your employees, either. One way that administrators help out employees who easily forget passwords is by providing password hints. The system itself is flawed, especially in today’s society of oversharing information across social media and the Internet in general. If Sally makes her password-based around the name of her dog, for example, the hacker might be able to find that information on her social media page, then can try variations of that name until the code is cracked. So, in the interest of network security, it’s better to just forego these hints. There are other ways to make your password system easier to deal with that don’t compromise security.

Limit Password Attempts

When you place a limit on password attempts for your business, what you are essentially doing is giving hackers a limited number of chances to get lucky. NIST suggests that most employees will fall into one of two categories in regard to password remembrance; either they will remember it, or they will keep it stored somewhere (hopefully in a password management system). Thus, if an employee is likely to do one or the other, a limit on password attempts will not necessarily impact them but will make all the difference against security threats.

Implement Multi-Factor Authentication

COMPANYNAME recommends that your business implement multi-factor authentication or two-factor authentication whenever possible. NIST recommends that users be able to demonstrate at least two of the following methods of authentication before they can access an account. They are the following:

  1. “Something you know” (like a password)
  2. “Something you have” (like a mobile device)
  3. “Something you are” (like a face or a fingerprint)

If two of the above are met, then there is sufficient evidence to suggest that the user is supposed to be accessing that account. Consider how much more difficult this makes things for a hacker. Even if they have a password, it is unlikely that they also have physical access to a mobile device, a face, or a fingerprint.

Make password security a priority for your organization now so that you don’t have to worry about data breaches later on down the road. AE Technology Group can help you set up a password manager that makes adhering to these best practices easier. To learn more, reach out to us at (516) 536-5006.

Take Charge of Security With Two-Factor Authentication

a person holding a cell phone in their hands
2 Factor Authentication

As attacks by hackers become all too common, it is increasingly important to ensure that accounts and passwords are protected. Two-factor authentication (2FA) provides an extra level of protection to accounts and is an important security option that all companies should consider. If you have questions or would like to learn more, AE Technology Group would be happy to help.

What is Two-Factor Authentication?

Two-factor authentication provides a method for ensuring that accounts are safe, even if a password is hacked or stolen. In addition to use of a password, 2FA requires that the account holder provide an additional piece of data or information to confirm the account. While there are many options for the second authentication factor, three common choices are:

  • A piece of information unique to the user, such as a password or PIN;
  • A physical object owned by the user, such as a smartphone or token; or
  • A biometric indicator, most commonly fingerprints verified by a fingerprint reader.

When an account needs to be verified, the system will first require that the user enter their password and then request their second form of authentication. For example, after a password is entered, the system may generate a phone call to the user’s smartphone.

What Are the Benefits of 2FA?

The most obvious benefit to 2FA is security. In the password/smartphone example used above, a hacker would only gain access to the account if they knew the account password and had access to the associated smartphone. 2FA also allows for increased flexibility for workers. Without having to worry about the safety of their devices, they can work remotely and in more locations – allowing them to maximize their time and productivity.

How Do I Implement 2FA?

AE Technology Group is perfectly poised to help your business implement 2FA.

Contact us today to get help improving safety and security for your business and employees.