Send Link mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://mailman.anu.edu.au/mailman/listinfo/link
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Link digest..."
Today's Topics:
1. Re: The Naivete of Cloud-Using Organisations (Roger Clarke)
2. Microsoft Passkeys (Stephen Loosley)
----------------------------------------------------------------------
Message: 1
Date: Sat, 14 Dec 2024 12:01:09 +1100
From: Roger Clarke <[email protected]>
To: link <[email protected]>
Subject: Re: [LINK] The Naivete of Cloud-Using Organisations
Message-ID: <[email protected]>
Content-Type: text/plain; charset=UTF-8; format=flowed
> On Friday, 13 December 2024 7:52:13 AM AEDT Roger Clarke wrote:
> >> Organisations that choose to be dependent on remote services could
> be expected to have fallback arrangements designed, trialled and at the
> ready. These might take the form of alternative cloud suppliers.
On 14/12/2024 11:43, David wrote
> And those organisations should also take care to ensure there's no
> common factor in their choice of suppliers.? It could be embarrassing
> if, having paid lots to keep the alternative going for years on end, it
> turned out that both cloud suppliers failed because they shared the same
> comms outage, database bug, malware intrusion, political upheaval, or
> whatever.? And that's a level of detail which is almost impossible to
> identify.
Without checking, I think my work back then did indeed omit to mention
common dependencies, hidden-single-points-of-failure, or suchlike.
> I don't think there's any answer to that conundrum, even in principle.
> Organisational size & complexity is the issue.? The bigger they are, the
> harder they fall.? So to speak...
Hmmm, metaphors get awkward, don't they. 'Cloudfall'?
At various times I've used 'computing clouds on the horizon', 'cloudy
future' and 'cloudburst', even 'stormclouds', 'nimbus'.
I'm sure 'pyrocumulus' could be applicable at some stage too.
'cloutages' maybe? 'fog', 'mist', 'pall', 'mare's tales', ...
Sorry, but it's been a hard year and I need a break.
--
Roger Clarke mailto:[email protected]
T: +61 2 6288 6916 http://www.xamax.com.au http://www.rogerclarke.com
Xamax Consultancy Pty Ltd 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Visiting Professorial Fellow UNSW Law & Justice
Visiting Professor in Computer Science Australian National University
------------------------------
Message: 2
Date: Sat, 14 Dec 2024 13:57:20 +0000
From: Stephen Loosley <[email protected]>
To: "[email protected]" <[email protected]>
Subject: [LINK] Microsoft Passkeys
Message-ID:
<sy5p282mb44094d8abf2f0a92dcfc72c5c2...@sy5p282mb4409.ausp282.prod.outlook.com>
Content-Type: text/plain; charset="Windows-1252"
Convincing a billion users to love passkeys: UX design insights from Microsoft
to boost adoption and security
By Sangeeta Ranjit, Microsoft Group Product Manager
By Scott Bingham, Microsoft Principal Product Manager
December 12, 2024
https://www.microsoft.com/en-us/security/blog/2024/12/12/convincing-a-billion-users-to-love-passkeys-ux-design-insights-from-microsoft-to-boost-adoption-and-security/
There?s no doubt about it: The password era is ending. Bad actors know it,
which is why they?re desperately accelerating password-related attacks while
they still can.
At Microsoft, we block 7,000 attacks on passwords per second?almost double from
a year ago. At the same time, we?ve seen adversary-in-the-middle phishing
attacks increase by 146% year over year.
Fortunately, we?ve never had a better solution to these pervasive attacks:
PASSKEYS.
https://www.microsoft.com/security/business/security-101/what-is-passkey
Passkeys not only offer an improved user experience by letting you sign in
faster with your face, fingerprint, or PIN, but they also aren?t susceptible to
the same kinds of attacks as passwords. Plus, passkeys eliminate forgotten
passwords and one-time codes and reduce support calls.
In this blog, we?ll share how Microsoft approached this unique opportunity to
bring passkeys to consumers.
Embracing the opportunity to improve sign-ins
In May 2024, Microsoft announced that you can sign in to your favorite consumer
apps and services, such as Xbox, Microsoft 365, or Microsoft Copilot, using a
passkey. Since passkeys are still a relatively new technology, as we began this
journey, we asked ourselves: How are we going to convince more than a billion
people to love passkeys as much as we do?
https://www.microsoft.com/en-us/security/blog/2024/05/02/microsoft-introduces-passkeys-for-consumer-accounts/
Somehow, we had to convince an incredibly large and diverse population to
permanently change a familiar behavior?and be excited about it.
To make sure we got our passkey experience right, we adopted a simple
methodology: Start small, experiment, then scale like crazy. The results have
been encouraging:
Signing in with a passkey is three times faster than using a traditional
password and eight times faster than a password and traditional multifactor
authentication.
Users are three times more successful signing in with passkeys than with
passwords (98% versus 32%).
99% of users who start the passkey registration flow complete it.
Step 1: Start small
Our first step was to build support for passkeys that could work across our
apps. In May 2024, we added a simple option to the Microsoft account settings
page to enroll a passkey:
"Add a new way to sign in or verify" dialog box offering three options:
* Face, fingerprint, PIN, or security key: Use a device to sign in with a
passkey (accompanied by a person and key icon).
* Use an app: Approve sign-in notifications on a phone (represented by a shield
with a lock icon).
* Email a code: Receive a code via email to sign in (depicted with an envelope
icon).
A "More choices" button is displayed at the bottom.
We also added a new option to authenticate with a passkey on our sign-in page:
"Microsoft Sign-in options" dialog box featuring three options:
* Face, fingerprint, PIN, or security key: Use a device to sign in with a
passkey (accompanied by a person and key icon).
* Sign in with GitHub: Authenticate using a GitHub account (represented by the
GitHub logo).
* Forgot my username: Assistance for recovering a username (depicted with a
question mark icon).
A "Back" button is located at the bottom right.
As thousands of people began enrolling and using passkeys every day, we learned
a lot. For example, while the term ?passkey? was sometimes unfamiliar, the
phrase ?face, fingerprint, or PIN? was generally well understood, so it was
important to connect these two concepts in our user experience (UX).
Step 2: Experiment
With a good foundation in place, we began to experiment. We didn?t want
passkeys to be ?just another way to sign in.? We wanted them to be ?the best
way to sign in.?
To do this, we had to figure out when, where, and how to approach users to
enroll a passkey. We developed a hypothesis that a passive approach (requiring
users to visit their account settings on their own to enroll a passkey) would
never yield the results we wanted, so we needed to proactively invite users to
enroll a passkey.
When and where to nudge users
The most natural enrollment opportunity is when a user initially creates an
account. But when and where would be the best time for existing users to create
a passkey? Right after they sign in? During a password reset?
While we were cautious with any changes that might prevent our users from
quickly accessing their accounts, we discovered that users were very
enthusiastic about the invitation to enroll a passkey?even when they weren?t
expecting it. About 25% of users who saw a nudge engaged with it?five times our
pre-launch expectations. We also learned that the option to create a passkey
where users manage their credentials accounted for fewer than 1% of total
enrollments. These results confirmed our hypothesis.
How best to nudge users
As we began to understand where and when to invite users to enroll passkeys, we
also explored ?how.? We ran multiple user studies and tested every pixel in our
nudge screen to answer the question, ?What would motivate a user to stop what
they?re doing and enroll a passkey??
First, we wanted to understand which value proposition would resonate most.
Surprisingly, an easier sign in didn?t resonate with users as strongly as a
faster or more secure sign in. Perhaps less surprising was discovering that
security and speed resonated almost equally. Approximately 24% of users shown a
message emphasizing security clicked through while approximately 27% of users
shown messaging about speed clicked through.
Two screenshots of a Microsoft sign in page on a mobile device, each promoting
the use of a passkey for signing in. The left screenshot highlights security
with the text: "Sign in more securely with a passkey" and a security icon,
showing a 24.07% increase in security. The right screenshot emphasizes speed
with the text "Sign in faster with a passkey" and a speed icon, showing a
26.93% increase in speed. Both screenshots include the email address
[email protected] and options to "Skip for now" or "Next."
Figure 4. Messaging about ?better security? and ?faster sign-in? enticed more
users to enroll a passkey than ?ease of use.?
If a user sees a nudge and chooses to enroll a passkey, great! But, if they see
the nudge and decide that now isn?t the right time, we wanted to frame their
decision in a positive way. The button text, ?Skip for now,? respects that the
user isn?t ready to enroll a passkey yet and lets them continue with what they
were doing, but it also sets the expectation that we?re going to ask again.
We?re implementing logic that determines how often to show a nudge so as not to
overwhelm users, but we don?t let them permanently opt out of passkey
invitations. We want users to get comfortable with the idea that passkeys will
be the new normal.
A comparison of different options tested for deferring a prompt on a Microsoft
sign in screen. The left side displays various buttons with text options such
as "Later," "Not now," "Maybe later," "Skip," "No thanks," and "Skip for now."
The right side shows a Microsoft sign in screen with the email address
[email protected] and a prompt to "Sign in faster with a passkey." Below the
prompt, there is an option to "Skip for now" highlighted with an arrow pointing
to it, and to the right of that button, a "Next" button.
Figure 5. We don?t let users permanently opt out of passkey invitations, but we
keep the messaging friendly.
The exciting results of our experiments are helping us craft the best
experience possible for our users, and we?re continuing to evolve. We encourage
you to run your own experiments as well. Your products and users are different
from ours and you might discover different outcomes. However, if you?re looking
for a good place to start, messaging about speed and security is probably a
safe bet. We also encourage you to reference the fantastic research that the
FIDO Alliance has done, along with the UX guidelines they?ve published.
Step 3: Scale
As our users began to enroll passkeys at scale, our sign-in experience needed
to behave more intelligently to encourage passkey use. As we redesigned the
experience, we followed these guiding principles:
Secure: A great sign-in experience should prioritize security without
sacrificing usability.
Low cognitive load: A great sign-in experience should have low cognitive load.
People don?t want to stare at a list of sign-in options to try to decide which
one to use. They just want in, and we should make that easy for them.
Evolving: A great sign-in experience should not only prioritize the best
available method, but also continuously move users to more secure methods.
With these principles in mind, we came up with a completely reimagined sign-in
experience. If the user has a passkey available, it?s always the preferred
method. We don?t list all the different ways the user can sign in and ask them
to choose one, we just show the passkey sign in user interface (UI) and that?s
it. They are safely and quickly signed in.
A Microsoft sign in screen showing the options to log in with TouchID sign in.
Figure 6. The sign-in experience defaults to passkey if the user has one
available.
If the user doesn?t have a passkey yet, we determine the next best available
credential. Once the user successfully authenticates, we immediately invite
them to enroll a passkey. If they do, then the next time they sign in, their
passkey will be the best available credential and is set as the new default.
Our initial launch of this new design saw a 10% drop in password use and a 987%
increase in passkey use.
With data to support our design decisions, we?ve started setting defaults and
introducing passkeys at a global scale:
* New users are invited to enroll a passkey when they create an account.
* Existing users are invited to enroll passkeys at key pivot points, such as
after they sign in or during a password reset.
* Passkeys are set as the default sign-in option for users who have them.
Based on the current adoption rate, we project that hundreds of millions of new
users will create and use passkeys over the coming months.
The passwordless journey
While enrolling passkeys is an important step, it?s just the beginning. Even if
we get our more than one billion users to enroll and use passkeys, if a user
has both a passkey and a password, and both grant access to an account, the
account is still at risk for phishing. Our ultimate goal is to remove passwords
completely and have accounts that only support phishing-resistant credentials.
https://www.microsoft.com/en-us/security/business/solutions/passwordless-authentication
In 2022, we made it possible for users to completely remove their password and
sign in with alternative methods. Since then, millions of users have deleted
their passwords and protected themselves against password-based attacks. Now
with passkeys, we can truly replace passwords with something faster, safer, and
easier to use. It?s an ambitious vision, but we firmly believe in a
phishing-resistant future for all scenarios, including account recovery and
bootstrapping.
The image depicts a visual representation of the progression towards more
secure authentication methods, illustrated as a mountain climb. The path up the
mountain is marked with milestones, each representing a step towards
eliminating passwords in favor of more secure alternatives. The milestones are:
Passwordless accounts"
Support passkeys
Passkeys by default
Passwords not supported
Phishing-resistant credentials only
Each milestone is represented by a yellow dot along a dotted path, indicating
the journey towards the ultimate goal of using only phishing-resistant
credentials. This image is relevant as it highlights the steps and progression
towards enhancing security in digital authentication.
Learning from our experience
Here are a few suggestions based on our learnings:
Don?t be shy about inviting users to enroll passkeys. Our experiments show that
people love passkeys and are ready for them. If they don?t enroll when you
first ask, don?t assume their decision is permanent. Make sure to test a few
variations of your designs and copy to determine what?s most effective. We
found that messages around sign-in speed and improved security resonate
strongly.
Make it as easy as possible to enroll and use passkeys. People want quick and
secure access to their accounts. They don?t want to think about signing in. Set
defaults to prioritize the best available method when possible.
Raise the floor. Passkeys are an important step on the path towards a more
secure and seamless authentication future. Start planning ahead now to use only
phishing-resistant credentials.
Finally, we believe that passkey adoption is a virtuous cycle, and
transitioning the world away from passwords is bigger than any one company. As
more relying parties prioritize passkey support, passkeys will first become
recognized, then familiar, then expected?everywhere you sign in. As people
become increasingly familiar with the usability and security benefits of
passkeys, they?ll be more likely to enroll and use them on more sites.
Together, we can convince billions and billions of users to enroll passkeys for
trillions of accounts! We?re proud to be part of this collective effort and
hope you will share learnings as well as you progress in your passkey journey.
https://www.microsoft.com/security/business/security-101/what-is-passkey
Learn more
To learn more about Microsoft Security solutions, visit our website. Bookmark
the Security blog to keep up with our expert coverage on security matters.
Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the
latest news and updates on cybersecurity.
https://www.microsoft.com/en-us/security/business
https://www.microsoft.com/security/blog/
https://www.linkedin.com/showcase/microsoft-security/
https://twitter.com/@MSFTSecurity
1 Microsoft Digital Defense Report 2024.
https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/final/en-us/microsoft-brand/documents/Microsoft%20Digital%20Defense%20Report%202024%20%281%29.pdf
--
------------------------------
Subject: Digest Footer
_______________________________________________
Link mailing list
[email protected]
https://mailman.anu.edu.au/mailman/listinfo/link
------------------------------
End of Link Digest, Vol 385, Issue 18
*************************************
