This comes after the company announced that ​​passwordless sign-in was generally available for commercial users, bringing the feature to enterprise organizations around the world.  Some of the main reasons why the company thinks that going passwordless is the next step is because passwords can make people an easy target, they waste time with 43% of people experiencing password problems monthly, they aren’t user friendly, and many people forget them, according to Vasu Jakkal, the CVP of Microsoft Security, Compliance & Identity. Jakkal wrote in a blog post:

“We are expected to create complex and unique passwords, remember them and change them frequently, but nobody likes doing that either. In a recent Microsoft Twitter poll,  one in five people reported they would rather accidentally “reply all” — which can be monumentally embarrassing — than reset a password.”

Passwords are also a major entry point for hackers with an estimated 579 password attacks every second — that’s 18 billion every year. Password-related attacks dominate attacks on enterprises, and 90% of respondents to the State of Passwordless Authentication 2021 report said they experienced phishing attacks against their organization. The report was produced by Cybersecurity Insiders, a 500,000 member community for information security professionals.

The FIDO Alliance also found that 61% of companies revealed that their “passwordless” multi-factor authentication methods still rely on underlying passwords.

However, many companies have been shifting to using truly passwordless solutions with 96% of respondents to the report saying that they want to stop using shared secrets for authentication. The FIDO Alliance wrote in the report:

“There is a common notion among technologists, analysts, regulators, and the media that passwords aren’t going anywhere. This report tells a very different story from the practitioners’ point of view. Not only have a meaningful number of organizations already deployed passwordless technology, but they also demonstrate a clear understanding of its impact and use cases.”

Some of the alternative authentication methods that Microsoft now offers include the Microsoft Authenticator app, Windows Hello, a security key, or a  verification code sent to your phone or email.

Microsoft software users can now visit account.microsoft.com, sign in, and choose Advanced Security Options. Under  “Additional Security,” you’ll see “Passwordless Account.” Select ‘Turn on.’

Jakkal added that they have heard great feedback from their enterprise customers who have been on the passwordless journey. He noted that Microsoft itself is a great test case — nearly 100%  of their employees use passwordless options to log in to their corporate accounts.

The survey evaluated the opinions of over 1,000 information security professionals, developers and executives in the IT and software development industries.

Misalignment between security and development teams

According to the survey, respondents nearly unanimously agree (97%) that the techniques and procedures used to attack the SolarWinds software development environment will be reused in new attacks this year. Despite this certainty, there is no alignment between security and development teams on which team should be responsible for improving security in the software build and distribution environments. For example, when asked who is primarily responsible for improving the security of their organization’s software development environment, 48% of respondents say their security teams are responsible and 48% say their development teams are responsible. Kevin Bocek, VP of security strategy and threat intelligence at Venafi, commented:

“While the SUNBURST attack on SolarWinds was not the first of its kind, it was certainly one of the most serious so far. SUNBURST made it absolutely clear that every organization must take urgent, substantive actions to change the way we secure software build pipelines. The only way to reduce these risks is to dramatically improve the security of the development pipeline and the software it delivers. However, if we can’t even agree on who is responsible for taking these actions it’s pretty clear that we aren’t even close to making meaningful changes. Anyone hoping this problem has been addressed is kidding themselves.”

Confidence and responsibility in the software development environment

• 80% of respondents say they are not completely confident in their organization’s ability to defend against attacks targeting software build environments.
• 69% of developer respondents believe developers are responsible for the security of their organization’s software build process. However, 67% of security respondents believe it is the security team’s responsibility.
• When asked who should be responsible for the security of their organization’s software build process, 58% of security respondents say it should be their responsibility and 53% of developer respondents say it should be theirs. Just 8% of all respondents suggested that responsibility should be shared.

“As these survey results clearly show, most organizations have not made it clear which team has the incentive or the directives they need to make the changes required. The only way to minimize the risk of future attacks is to enable developers to move fast, from idea to production, without compromising security.”

Bocek also continued that speed of innovation and security are inseparable in software development. In the same way, a Formula 1 engineer builds for performance and safety at the same time, software developers also need to be accountable for both. To accomplish this, developers clearly need help and support from security teams. Boards, CEOs, and managing directors need to take action to ensure clear lines of ownership so changes are in place, and they can hold teams accountable.”