Q&A

Q&A with Jan Ketil Skanke on Going Passwordless

As the IT landscape continues to transform with the newest cloud tech and services, why are you still relying on unsecure passwords?

• By Chris Paoli
• 05/17/2022

Microsoft Enterprise Mobility MVP Jan Ketil Skanke says it's time to break IT's reliance on troublesome passwords.

In a session at the upcoming TechMentor conference taking place Aug. 8-12 in Microsoft's Redmond, Wash., headquarters, Skanke will show you how Microsoft 365 can help you secure the ever-growing mobile workforce. Titled "Beyond Passwords - Securing Your Identities in Microsoft 365," Skanke's session will cover why the move away from passwords is the right one, how you can better secure your users in the cloud, and the latest management capabilities in Azure Active Directory.

Ahead of his Aug. 9 session, Skanke sat down with Redmond Magazine and tackled some of our questions about how IT can better secure their users and keep identities safe in our growing cloud world.

Redmond: Why should organizations move away from the era of passwords and what makes them unsecure, especially in the remote workforce era?
Skanke: Passwords are the weakest link in your security chain. Passwords are commonly reused across accounts, and statistics show that over 70 percent of the passwords are duplicated. On top of that, around 80 percent of breaches leverage passwords. Passwords can be phished or even found in stolen databases on the Internet.

In addition to this, passwords generate a ton of support calls.

How does Microsoft 365 alleviate the need for passwords?
With Microsoft 365 or Azure AD you have several methods available to authenticate without passwords. Windows Hello for Business, FIDO keys and the Microsoft Authenticator app can all be used for passwordless authentication. All Microsoft 365 services, including Windows 365, have support for passwordless capabilities, reducing the user-visible password surface areas.

Personally I have not used my password in over nine months.

For shops using Microsoft 365, what is the top security feature they should enable that they might not know about?
The main tip is to not assume that the defaults in Azure AD is secure. Even though Microsoft has announced that they will shut down basic authentication in the near future, many companies still have that enabled. Using an Exchange Authentication policy, this can easily be turned off to reduce the risk of password spray attacks (brute force) massively. In addition to this, blocking your end users from being able to give OAuth consent to apps accessing their data on their behalf is an important setting to configure. 

What shortcomings do you see in Microsoft 365's identity security/management and how should Microsoft address them?
The default configuration in Azure AD is not secure enough. Many customers do not have the knowledge to be aware of what needs to be done on a new tenant. Microsoft introduced Security Defaults to mitigate some of this, but still Microsoft could do more on helping new customers secure their tenant "out of the box."

My personal biggest request to Microsoft is to allow us to totally disable passwords on all or selected users. Even though passwordless is available for all, users can still fall back to their unsecure passwords.

What security threats are Microsoft 365 users most susceptible to?
Microsoft 365 users are most susceptible to identity theft. The identity is the new "firewall" protecting all your data and users. The main reason for this is that most organizations still don't enforce multifactor authentication for all their users.