Security news that informs and inspires

Yubico, Microsoft Accelerate Retirement Plans for Passwords


If you’re someone who really enjoys creating clever little mnemonic devices or finding new ways to munge your first dog’s name with your zip code, then today is a bad day for you. Passwords, already nearing the end of their usefulness, are preparing to pack it in and move to Boca Raton.

Yubico on Monday announced a new line of hardware security keys, the YubiKey 5 Series, that supports the open WebAuthn standard and the FIDO2 open authentication standard. One of the keys in this series includes NFC support and can be used for strong two-factor authentication on mobile devices. The YubiKey 5 series keys can be used in a number of different authentication scenarios, including passwordless authentication, 2FA, and MFA.

The biggest addition, though, is the YubiKey 5 NFC model, which fills in a major gap with most hardware security keys. The support for NFC allows people to use the keys for over-the-air authentication on apps on their mobile devices.

“Combining the security and usability features of FIDO2 passwordless authentication and tap-and-go NFC provides an optimal user experience, and drastically improves security and productivity. This is especially beneficial in fast-paced, dispersed working environments within sectors such as financial services, healthcare, and retail point-of-sale (POS),” Jerrod Chong, senior VP of product at Yubico, said.

Earlier this year, Yubico released an SDK for iOS that enabled developers to add support for YubiKeys to their apps. The SDK specifically supported the YubiKey Neo and Yubico also has similar support for that functionality on Android.

"You can make the user experience simpler by eliminating passwords."

On the software side of things, Microsoft, is now bringing some of the password-less authentication experience to its Azure cloud platform. Azure customers can now use the Microsoft Authenticator app to authenticate to hundreds of thousands of Active Directory apps, without a password. The app uses fingerprint or facial recognition, along with a username in order to authenticate the user, a combination that is becoming more and more common. Passwords are artifacts of an era when technology hadn’t yet caught up to the security requirements of users, and the advent of strong multifactor authentication systems is pushing them ever closer to the edge of irrelevance.

Many individual apps support 2FA but Microsoft’s announcement of support for Microsoft Entra ID in the Authenticator app makes it available across the company’s popular cloud platform. Microsoft announced the availability at its Ignite conference today, along with a number of other security enhancements.

“The Authenticator app replaces your password with a more secure multi-factor sign-in that combines your phone and your fingerprint, face, or PIN. Using a multi-factor sign-in method, you can reduce compromise by 99.9 percent, and you can make the user experience simpler by eliminating passwords,” Rob Lefferts, corporate vice president of security at Microsoft, said.