Our ability to securely move beyond passwords as the singular trusted authentication mechanism has been here for some time, but concept and related technology has lacked traction. I am excited to see Microsoft continue to endorse and partner with the FIDO Alliance to bring forward secure, alternative authentication options to the masses.
Please remember that even the best Microsoft Hello option is still often a single authentication factor. For sensitive system access, multi-factor authentication is still the safest, most effective approach to authentication.
Though many like to pretend that the debate is still alive and relevant, I tend to agree with the authors of this post from KnowBe4 – the 8 character password is dead. It has honestly been dead for some time. We need to move forward and consider stronger, more effective and memorable pass-phrases combined with multi-factor authentication options whenever available.
The NIST standard of “complex” 8 character passwords is mentioned in this post, but it is also worth mentioning that even NIST has recognized it is time to move beyond that standard. New, revised standards are coming that involve less password rotation and more lengthened pass-phrases.
These steps are honestly not hard and they will keep your data safer than the good ol’ days of “Petsname123”.
This is a very difficult situation from an IT security perspective. Multi-factor authentication is a necessary step for the security of many systems and applications, especially those that are cloud hosted. These types of outages can and will shake the confidence of users and make the move to multi-factor authentication that much more difficult to pursue and expand for IT security professionals in organizations.
It is very important to remember that biometrics is a capable and effective authentication method, but it is still a single factor of authentication. It is not a panacea. It is not fool proof. Multiple factors of authentication are still key.
All of the advice in this article is sound, but to be honest and in my humble opinion, the most valuable point made here or in general concerning social media and security is the absolute need for two-factor / multi-factor authentication. This must become a component of everything we do online.
This is exciting news and a very smart, practical move by the team at NIST. Length of passwords trumps complexity in most situations when an end user is left to his or her own devices. I am glad to see these changes and encourage all administrators and IT security professionals to use these changes as an opportunity to better educate end users in the proper set up and usage of passwords.
I listened to an interesting Steve Gibson podcast on this same subject and tend to agree with Steve that this is a decent implementation of a stronger single factor authentication mechanism, but it is far from multi-factor authentication. This can certainly replace weak passwords with a slightly stronger authentication mechanism, but it most instances, real security will require a second, truly secret authentication factor.
This is an interesting read. It is always exciting to see multi-factor authentication grow and evolve. U2F is a promising direction in IT security.
SMS messaging as a second factor of authentication is certainly better than nothing, but it is also a clear step backward compared to a physical or soft token.
This is great news in the grand scheme of It security and Identity/Access management. I hope to see the numbers continue to grow, especially in smaller organizations. MFA adds tremendous value for a relatively low investment point.