Press "Enter" to skip to content

Microsoft offers password less plus the StateRAMP verification

Microsoft has announced that users can remove passwords from the Microsoft account and go passwordless.   Signing in with Microsoft Authenticator, windows Hello, a security key, or an SMS or email verification code can be done instead.    

We may be a long way from passwordless future, however.  DuoLabs, the research team for DuoSecurity, reports that two factor authentication adoption is up.    79 percent of people said they have used 2FA, up from 53 percent in 2019.   That’s just used it — the report revealed 68 percent of people do not use 2FA on all applications where it is available.

Patch Tuesday for September looks a little brutal – more than 60 fixes and updates to come.    With the Apple zero-day this week too, researchers have indicated that the number of zero day vulnerabilities IS actually up.  It doesn’t just seem that way.  Looking at Project Zero, the number of zero days is at 44 this year alone, up from 25 last year, and the number has increased every year since 2018. 

StateRAMP, which is a group focused on tech and industry, released it’s first group of companies approved as cloud vendors.    It’s designed to be a state level process like FedRAMP, grading the security of federal vendors.     There are three statuses — “Ready,” indicating a product meets the minimum standards; “Provisional,” meaning the exceeds the minimum requirements; and “Authorized,” when a product satisfies all the security requirements and has a government sponsor.

Along with satisfying the StateRAMP standards, vendors must also comply with continuous monitoring to keep their status.

A bit more about ransomware gang tactics – the Grief ransomware is threatening to delete victim’s decryption keys if they hire a negotiation firm.    The Ragnar Locker gang last week threatened to automatically publish victims’ data if they contacted law enforcement or negotiation firms.    Their argument – the negotiators are only there to make money too.    This threat from Grief is a step further.

Why do we care?

Two areas I want to focus on from this.  First, I’m bullish on passwordless and changing the model for authentication, and Microsoft putting this stake in the ground is a big deal.  It’s optional… so the only way it becomes “A thing” is policy changes.  That’s where IT services companies come in.   

As an aisde, shame my Xbox 360 login won’t work – that’s actually noted among a handful of old tech that will be left behind.       

My second area of focus is that StateRAMP development.    Thematically, it’s more action at the state rather than federal level, and why we care is that state governments are a whole lot more like small businesses.    Grading security of vendors at this level is a resource IT services providers care about – it’s a system of assurances.   MSPs should be learning this.