Password managers will remain a valuable bulwark against identity-related threats for some time to come, despite Microsoft’s decision to switch off the capabilities in its Authenticator app from tomorrow, security experts have argued.
The tech giant has been winding down Microsoft Authenticator’s ability to store and autofill passwords for some time. From the start of June, users were no longer able to add or import new passwords. The following month, autofill was switched off. From August 1 saved passwords will no longer be accessible via the app.
After this time, stored passwords can be accessed and auto filled via the Edge browser, or users can export them to an alternative password manager. However, what Microsoft really wants is for users to transition to passkeys, which are still supported by Authenticator.
Passkeys are widely regarded as a more secure and easy to use (via PIN or biometrics) authentication mechanism, which requires no passwords at all.
Read more on passkeys: Passkeys Set to Protect GOV.UK Accounts Against Cyber-Attacks
However, security experts have argued that a passwordless future is still years away, meaning password managers will continue to play an important role in enterprise security for some time to come.
“The impending elimination of password support by Microsoft would suggest that the industry is rapidly moving towards a future where passwordless authentication is the norm. However, the data tells us another story,” argued Keeper Security CEO, Darren Guccione.
“Rather than heralding a drastic sea-change, Microsoft’s decision arrives amid a more gradual transformation, one that is still very much in progress. Solutions that can generate and secure traditional passwords remain critical for individuals and organizations alike – even as passwordless authentication becomes more widely adopted across digital systems.”
Guccione cited Keeper Security figures claiming that 40% of organizations operate a hybrid authentication environment, combining both passwords and passkeys.
The Transition Will Take Time
His thoughts were echoed by IEEE senior member and University of Nottingham cybersecurity professor, Steve Furnell.
“While we are seeing a shift towards a passwordless future, this transition will take some time. Many organizations have only recently moved to multi-factor authentication (MFA) and so will have less desire or incentive to develop other technologies like passkeys, even if doing so could improve user experience,” he argued.
“Meanwhile, others may be stuck with traditional passwords, for example, if they are simply not in a position to update their in-house, bespoke or legacy systems.”
Furnell added that organizations that continue to rely on passwords must ensure they have two fundamentals in place.
“Firstly, provide clear guidance and support so users understand how to create and manage passwords effectively. Most people do better when they know what’s expected and why it matters,” he concluded.
“Second, it’s important to implement safeguards that enforce good practice by default, reducing the risk regardless of individual behavior.”
Image credit: Primakov / Shutterstock.com