Hotmail to offer strong method for authentication

  • Article

Recently, I read an article that says that Microsoft is going to use a better method than Gmail for authenticating into its webmail client, Outlook.com (formerly Hotmail).  If you read the article, Microsoft never actually says that their security will be better than Gmail’s, rather:

-
Gmail gives users the option of using two-factor authentication.  
You sign in with your password, but they also send you a text message and you have to enter that in, too.  Thus, you need two pieces of information – your password (which a spammer could conceivably steal) and your cellphone, which a spammer would have a much more difficult time getting.  To get both at the same time is even more challenging for a random spammer.  This is outlined on Google’s blog here.

-
Microsoft also offers single use code.
However, Microsoft also requires the use of strong passwords which is a trend in industry so users don’t enter “12345678”.

-
However, Microsoft is looking for better mechanisms to authenticate.
From the article: The rep said it looked at two-factor authentication but chose not to offer the service since it found that only a small number of Gmail users actually use it. Microsoft’s goal is “to find a strong solution that everyone can use, vs. just the 1% of users that figure out how to navigate a bunch of additional setup options,” the spokesperson said.

That is  the weakness of stronger security – passwords are simple for users to manage, even if they are insecure.  But more complex methods suffer from lack of widespread use.  The article goes on to quote a Google spokesperson that millions of their users have 2-step verification, and thousands more join every day.  This sounds like a lot. but Hotmail and Gmail have something like 300 million users.  1% of 300 million is 3 million, which is millions.   Both statements from both companies are correct.

My own take is that whatever replaces passwords has to be useful to the user and easy to deploy widely.  Passwords have been around, in some form or another, for centuries.  They will be hard to replace.