ETtechMicrosoft made a rather big move a couple of weeks ago. It enabled all users to log in to its products without a password, instead providing alternate authentication methods. It is a significant change in securing how humans interact with the plethora of digital products out there. Passwords are considered one of the weakest links in the cybersecurity chain, and for long, the talk has been about enabling a password-less future. That time is finally here. ET talked to Vasu Jakkal, corporate vice-president for Microsoft’s security, compliance, identity, and management practice to understand more about how the company went about taking a significant step towards a password-less future. Edited excerpts:
Q. No one expected Microsoft to enable password-less log-in for all users — corporate and consumer — so soon. Why the urgency?
A. Last March, we announced that our commercial users will go password-less, and we saw a lot of traction for that. We now have 200 million users using password-less. So, we knew this was the way to go. There were two big trends driving our urgency. One was related to the pandemic. Overnight, we all became digital businesses, and we saw an escalation of the threat landscape. Secondly, the inconvenience of passwords has been around for a long time. Thirty percent of users would rather give up an account than reset their password. Combining both, identity was becoming the battleground of security. Our CISO says it all the time — hackers are not breaking in, they are logging in. So, we had to do something about it, and we just accelerated the journey we were already on.
Q. How difficult is this transition going to be?
A. It’s kind of mind-boggling that passwords are the first line of defence. We’ve been talking about zero trust, we’ve been talking about multi-factor authentication, and yet we use passwords, which can be easily compromised. Internally at Microsoft, we are almost 100% password-less for our employees. To adopt it is pretty simple. If you have a Microsoft account, you can have it enabled in just a few steps. We are hopeful because of the adoption that we’ve seen on the commercial side. We have also used open standards because we wanted to rally the industry around it. Now there's a second part to this, which is the ecosystem. Security is a team sport. It takes a village, and we need the ecosystem to rally around it and I look forward to working with our partners on that.
Q. Triggering the shift in ordinary users is different from triggering one in a corporate environment. How do you envisage giving that final push to the ordinary user?
A. It’s all about awareness, and I’ll tell you, we have seen great momentum. You know how fed-up people are with passwords. It is about trying it out and we’ve given the choice — you don’t like it, you can go back. Of course, we’ll be doing marketing around it, we’ll be driving education and amplification. I feel users are becoming more aware of security challenges. I mean the 579 attacks per second. That’s a lot. It is now no longer a fire across on the other side of the world. There’s a fire in my neighbourhood that I need to care about. It’s no longer just enterprises and businesses or governments.
A. I joined Microsoft last year and I was on the password-less journey from day one, so I didn’t see any challenges. There’s always that new technology learning curve, like getting used to it and how you set it up. We haven’t seen a lot of challenges; we have seen the opposite. In town halls and in conversations with employees, they are just really happy with it.
Q. What has been the cost of change? Has that been quantified at all for the larger ecosystem?
A. As companies continue to add more business applications to their portfolios, the cost of passwords only goes up. In fact, companies are dedicating 30% to 60% of their support-desk calls to password resets. Password-reset support tickets are a high cost for many companies and cause a loss in productivity. The average user spends more than 12 minutes each day entering or resetting passwords — that’s almost an hour every month! Multiplying that hourly loss across an organisation with 15,000 members results in more than 160,000 hours of lost productivity and thousands of support calls — all for managing passwords. Microsoft estimated the following costs before rolling out password-less to its employees:
As of today, Microsoft has achieved the following benefits from its password-less rollout:
Q. You mentioned the ecosystem needing to change as well. How long before others follow Microsoft in going password-less?
A. I hope very soon. We’re working with the industry. The last year has proven to us, without a doubt, that identity is the battleground for security. I believe all tech companies have been thinking about security. The Biden administration had a summit in the US just a few weeks ago and all the big tech companies were there. Everyone made a commitment to security and identity is part of that. How do we secure our people, our infrastructure, our homes, our families, all of that. So, it’s top-of-mind for everyone.
Q. Identity goes beyond password, right?
A. We are big advocates of a zero-trust mindset and that has three pillars. The first one is, you know, you assume a breach. Second is you’ve got to verify explicitly. The third is privileged access. This framework is our worldview and the basis of what we do. Identity is at the heart of it. So we do view identity, much more comprehensively than just password. We have a much bigger vision for identity, and it is one of our very core pillars of security.
Q. No one expected Microsoft to enable password-less log-in for all users — corporate and consumer — so soon. Why the urgency?
A. Last March, we announced that our commercial users will go password-less, and we saw a lot of traction for that. We now have 200 million users using password-less. So, we knew this was the way to go. There were two big trends driving our urgency. One was related to the pandemic. Overnight, we all became digital businesses, and we saw an escalation of the threat landscape. Secondly, the inconvenience of passwords has been around for a long time. Thirty percent of users would rather give up an account than reset their password. Combining both, identity was becoming the battleground of security. Our CISO says it all the time — hackers are not breaking in, they are logging in. So, we had to do something about it, and we just accelerated the journey we were already on.
Q. How difficult is this transition going to be?
A. It’s kind of mind-boggling that passwords are the first line of defence. We’ve been talking about zero trust, we’ve been talking about multi-factor authentication, and yet we use passwords, which can be easily compromised. Internally at Microsoft, we are almost 100% password-less for our employees. To adopt it is pretty simple. If you have a Microsoft account, you can have it enabled in just a few steps. We are hopeful because of the adoption that we’ve seen on the commercial side. We have also used open standards because we wanted to rally the industry around it. Now there's a second part to this, which is the ecosystem. Security is a team sport. It takes a village, and we need the ecosystem to rally around it and I look forward to working with our partners on that.
Q. Triggering the shift in ordinary users is different from triggering one in a corporate environment. How do you envisage giving that final push to the ordinary user?
A. It’s all about awareness, and I’ll tell you, we have seen great momentum. You know how fed-up people are with passwords. It is about trying it out and we’ve given the choice — you don’t like it, you can go back. Of course, we’ll be doing marketing around it, we’ll be driving education and amplification. I feel users are becoming more aware of security challenges. I mean the 579 attacks per second. That’s a lot. It is now no longer a fire across on the other side of the world. There’s a fire in my neighbourhood that I need to care about. It’s no longer just enterprises and businesses or governments.
Discover the stories of your interest
A. I joined Microsoft last year and I was on the password-less journey from day one, so I didn’t see any challenges. There’s always that new technology learning curve, like getting used to it and how you set it up. We haven’t seen a lot of challenges; we have seen the opposite. In town halls and in conversations with employees, they are just really happy with it.
Q. What has been the cost of change? Has that been quantified at all for the larger ecosystem?
A. As companies continue to add more business applications to their portfolios, the cost of passwords only goes up. In fact, companies are dedicating 30% to 60% of their support-desk calls to password resets. Password-reset support tickets are a high cost for many companies and cause a loss in productivity. The average user spends more than 12 minutes each day entering or resetting passwords — that’s almost an hour every month! Multiplying that hourly loss across an organisation with 15,000 members results in more than 160,000 hours of lost productivity and thousands of support calls — all for managing passwords. Microsoft estimated the following costs before rolling out password-less to its employees:
- $3 million a year in hard costs.
- $6 million a year in lost productivity.
As of today, Microsoft has achieved the following benefits from its password-less rollout:
- Reduced hard and soft costs by 87%.
- As Microsoft’s costs go down, attackers’ costs go up, so the company is less of a target.
Q. You mentioned the ecosystem needing to change as well. How long before others follow Microsoft in going password-less?
A. I hope very soon. We’re working with the industry. The last year has proven to us, without a doubt, that identity is the battleground for security. I believe all tech companies have been thinking about security. The Biden administration had a summit in the US just a few weeks ago and all the big tech companies were there. Everyone made a commitment to security and identity is part of that. How do we secure our people, our infrastructure, our homes, our families, all of that. So, it’s top-of-mind for everyone.
Q. Identity goes beyond password, right?
A. We are big advocates of a zero-trust mindset and that has three pillars. The first one is, you know, you assume a breach. Second is you’ve got to verify explicitly. The third is privileged access. This framework is our worldview and the basis of what we do. Identity is at the heart of it. So we do view identity, much more comprehensively than just password. We have a much bigger vision for identity, and it is one of our very core pillars of security.
