Microsoft is taking a step towards retiring passwords, now letting users completely remove passwords as a way of logging in to their accounts.
It’s been years in the making, but the rise in attack surfaces with remote work and the surge in digital transactions through the pandemic pushed the company to move on it.
After introducing paswordless sign in for commercial accounts earlier in this year, individual, non-business Microsoft accounts can now be accessed by means other than a password, the software giant has announced.
“They’re inconvenient. They’re a prime target for attacks. Yet for years they’ve been the most important layer of security for everything in our digital lives—from email to bank accounts, shopping carts to video games,” said Vasu Jakkal, Microsoft’s corporate vice president of security, compliance and identity.
In their place, there a few other options – Authenticator app, Windows Hello, a security key or a verification code sent to a phone or email to be used instead to sign in to email on Outlook, OneDrive and other services.
However, older versions of some accounts and devices, including Office, Windows and Xbox 360 can’t enable this technology will still require password access.
To go passwordless, once the Authenticator app is installed and linked to a personal Microsoft account, it’s a matter of following the steps in the Microsoft account security settings.
Once password access has been removed, it can always be reinstated, Microsoft said.
Microsoft: the future is here, and it’s passwordless
Stolen passwords enabling hackers to obtain identity credentials; the never-ending headache of updating passwords; the constant battle to remember and safely store logins.
There are a lot of reasons to find passwords a pain – and plenty of reasons to look for alternatives.
Such is the pain of having to come up with new passwords, for example, in a Microsoft poll run on Twitter, one in five people said they would prefer to suffer the embarrassment of accidentally hitting “reply all” and sending a message to an entire group, than reset a password.
“Weak passwords are the entry point for the majority of attacks across enterprise and consumer accounts. There are a whopping 579 password attacks every second—that’s 18 billion every year,” Jakkal said.
Microsoft deemed 2020 its breakthrough year for logins without passwords with a host of developments across business services, starting with enabling access to Hybrid Azure Active Directory (Azure AD) Windows 10 devices with seamless sign-in.
It enabled Azure AD to use security keys through the Fast Identity Online (FIDO) security specification, FIDO2.
It also showed off the passwordless wizard available through the Microsoft 365 Admin Center.
Microsoft said there are more than 150 million total passwordless users across Azure Active Directory and Microsoft consumer accounts, and the number of consumers using Windows Hello to sign in to Windows 10 devices instead of a password grew to 84.7 percent from 69.4 percent in 2019.
Hoping to build on this, the company plans to launch new UX and APIs for managing FIDO2 security keys to enable custom tools and release a single registration portal to manage passwordless credentials via the My Apps portal.
Microsoft has also been recognised by Gartner as a leader in identity and access management (IAM).
So serious is Microsoft about the vulnerabilities of passwords and the need to have alternatives, it’s hosting a virtual event on why it’s necessary to replace passwords as the primary means of authentication.
“Given the vulnerability of passwords, requirements for them have gotten increasingly complex in recent years, including multiple symbols, numbers, case sensitivity, and disallowing previous passwords,” Jakkal said.