Aaron Margosis, a principal consultant of Microsoft, has recently announced that Microsoft will be dropping its password expiration policies for its upcoming Windows 10 version 1903 and Windows Server 10 1903 update. This means that although the password expiration security option will remain in the upcoming update, Microsoft will stop recommending the functionality as part of their group policy security baselines.
After the new discovery in recent scientific research, it has been deemed that password expirations are no longer a part of best security practices. Margosis recommends better alternative password security practices such as implementing banned password list like Azure AD password protection and most notably, multi-factor authentication. Multi-factor authentication is a method that grants user access only after successfully presenting two or more pieces of evidence to an authentication system. These usually come in the form of something you know, something you have and something you are. For example, we can use our voice to authentication ourselves as it is something that is part of us. Here at Auraya, we provide this solution with our voice identification and verification solution, ArmorVox™.
Further, he states that periodic password expirations would provide little to no extra benefits if a sensible organisation already has successfully enforced banned password lists, multi-factor authentication, detection of password guessing attacks and detection of anomalous login attempts.
“When humans pick their own passwords, too often they are easy to guess or predict. When humans are assigned or forced to create passwords that are hard to remember, too often they’ll write them down where others can see them. When humans are forced to change their passwords, too often they’ll make a small and predictable alteration to their existing passwords, and/or forget their new passwords. When passwords or their corresponding hashes are stolen, it can be difficult at best to detect or restrict their unauthorized use.”
– Aaron Margosis, principal consultant at Microsoft
Evidently, as accurately quoted by Margosis above, periodic changes in passwords can result in numerous human errors. Additionally, in the National Institute for Standards and Technology (NIST)’s Digital Identity Guidelines special publication, it states that users should not be required to change their passwords arbitrarily. Users will only need to change their passwords if a breach or compromise is imminent.
“Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.”
– NIST SP 800-63B Section 184.108.40.206 paragraph 9
And regarding Margosis’ recommendation of multi-factor authentication, Auraya provides ArmorVox™, our next generation voice identification and verification solution. With ArmorVox™, users can utilise their voice print as one of the factors in setting up a multi-factor authentication by securely enrolling, verifying and authenticating their voice prints. By using machine learning algorithms to create speaker specific background models and standard features such as impostor mapping, user accounts become more secure with seamless user experience. Further, ArmorVox™’s adaptability makes its capable of being deployed in any platform and any device with a microphone.