+

Cookies on the Business Insider India website

Business Insider India has updated its Privacy and Cookie policy. We use cookies to ensure that we give you the better experience on our website. If you continue without changing your settings, we\'ll assume that you are happy to receive all cookies on the Business Insider India website. However, you can change your cookie setting at any time by clicking on our Cookie Policy at any time. You can also see our Privacy Policy.

Close
HomeQuizzoneWhatsappShare Flash Reads
 

Microsoft chief information security officer explains why he's trying to eliminate passwords entirely in his quest to secure the company's information

Feb 20, 2020, 20:15 IST
  • As Microsoft's chief information security officer, Bret Arsenault is tasked with protecting the company against hacks, leaks, and breaches.
  • Arsenault has spearheaded Microsoft's initiative to "build a world without passwords."
  • Arsenault says that while stolen passwords can easily be exploited by hackers, it's much harder for your average hacker to fake something like an iris scan or fingerprint - with the added benefit that it takes the burden of dealing with passwords away from the user.
  • He also oversees security measures to protect top-level executives, which he says are more than 10 times as likely to be targeted by hackers as rank-and-file employees.
  • Visit Business Insider's homepage for more stories.

Companies aiming to prevent hacks and breaches all face the same fundamental question: How do you beef up security measures without slowing down your business?

Advertisement

At Microsoft, the man tasked with answering that question is Chief Information Security Officer Bret Arsenault, who joined the company a decade ago and oversees its internal security operations.

The stakes have only gotten higher - cybercrime remains the fastest-growing type of criminal activity, and is expected to cost businesses over $5 trillion worldwide in the next five years, according to Accenture.

Arsenault spoke to Business Insider and other news outlets during a security summit recently hosted at Microsoft's campus in Redmond, Washington. He laid out his philosophy around protecting Microsoft against hacks, and why the company is aspiring to eliminate passwords altogether.

'A world without passwords'

Contrary to what Hollywood might have you believe, the majority of real-life hack attacks come from using stolen passwords to break into a system - not exploiting any kind of underlying technical flaw.

Advertisement

"Hackers log in, they don't break in," Arsenault said. "[Proving] your identity is the thing you really have to spend the most amount of time on."

That's why Arsenault says that his team is focused on finding smarter ways to help Microsoft employees (and users) log on to their vital business apps in a way that stopped the bad guys - without frustrating the good guys.

The first solution was two-factor authentication, a system that requires users to verify logins using a secondary device, like their phone. While this so-called 2FA is certainly more secure, however, it also creates headaches when trying to log in to multiple sites and services every day, not to mention how much complexity it adds.

The next phase involved replacing passwords altogether with unique biometric identifiers, like fingerprints or iris scans. The Windows 10 operating system supports Windows Hello, a system that allows for logging in to certain apps via fingerprint reader or a camera, provided your PC has the right accessories.

This approach makes it all but impossible for everyday hackers to break in, given that there's no stolen password for them to enter - while also meaning that users don't have to put one in, either, saving time.

Advertisement

"It turns out changing it to 2FA everywhere was a bad way to go, and eliminating passwords is an awesome way to go," he said.

Protecting top-level executives

Top-level executives are always more likely to be targeted than rank-and-file employees, as recent high-profile attacks against the likes of Amazon CEO Jeff Bezos reflect.

According to Arsenault's calculations, top-level executives are 12 times more likely to be targeted by hackers than the average employee, and companies should prepare accordingly.

At Microsoft, executives go through more training to identify signs of phishing scams and spyware attacks, and are typically equipped with more antivirus software on their devices, according to Arsenault.

Arsenault said this level of protection isn't cost-effective for typical employees, but that the risk faced by executives makes it worthwhile.

Advertisement

"Physical security for executives seems to be more mature than cyber protection for executives. That's something we try to work on."

You are subscribed to notifications!
Looks like you've blocked notifications!
Next Article