Microsoft, Google, and Apple want you to say farewell to passwords

Microsoft Authenticator Passwordsync Ios
Microsoft Authenticator Passwordsync Ios (Image credit: Daniel Rubino / Windows Central)

What you need to know

  • Alongside Apple and Google, Microsoft announced support for an expanded FIDO standard that will help people go passwordless.
  • Soon, people will be able to sign in to services and websites using passwordless authentication across all major platforms.
  • Windows, iOS, Android, and macOS devices will work with passwordless login, as will Edge, Chrome, and Safari.

Yesterday, May 5, 2022, was World Password Day. In an ironic celebration, Microsoft commemorated the day by helping people move away from passwords altogether. The company announced support for the expansion of a passwordless standard created by the FIDO Alliance and the World Wide Web consortium. Apple and Google also announced support for the standard, which is a major step forward toward a passwordless future.

Passwords can be stolen or phished out by attackers. Microsoft argues that it's more secure to use multi-device FIDO credentials. These are also referred to as passkeys and allow people and organizations to shift away from insecure passwords.

The idea is that people will be able to verify their identity by logging into a physical device, such as a smartphone. This could be done with a fingerprint, face unlock, or a PIN and used to log in to websites and services, all without requiring a password.

Microsoft highlighted in a Tech Community post (opens in new tab) that biometric information never leaves a device. "Passkeys are a safer, faster, easier replacement for your password. With passkeys, you can sign in to any supported website or application by simply verifying your face, fingerprint or using a device PIN," added the company.

It's already possible to use Windows Hello to sign in to sites that support passkeys. Soon, people will be able to sign in to their Microsoft account with a passkey using an Apple or Google device.

See more

The cross-device and cross-OS support of passkeys is — ahem — key to the operation. "With passkeys on your mobile device, you're able to sign in to an app or service on nearly any device, regardless of the platform or browser the device is running," said Microsoft vice president for security, compliance, identity, and privacy Vasu Jakkal in a statement to the Verge. "For example, users can sign-in on a Google Chrome browser that's running on Microsoft Windows—using a passkey on an Apple device."

Alongside its support for the FIDO standard, Microsoft announced new capabilities to help enterprises go passwordless. Windows 365, Azure Virtual Desktop, and Virtual Desktop Infrastructure all support passwordless login in preview builds of Windows 11. It's also on the way to Windows 10.

Microsoft Authenticator will soon support using multiple passwordless accounts. The capability will ship to iOS devices this month and to Android users in the future.

Microsoft has pushed people to go passwordless for five years. The company shared that 240 million people now sign in to Microsoft services each month without using a password. 330,000 people have removed their passwords from their Microsoft accounts in the past six months as well.

Sean Endicott
News Writer and apps editor

Sean Endicott brings nearly a decade of experience covering Microsoft and Windows news to Windows Central. He joined our team in 2017 as an app reviewer and now heads up our day-to-day news coverage. If you have a news tip or an app to review, hit him up at sean.endicott@futurenet.com (opens in new tab).

25 Comments
  • "You'll be more secure if you let us handle everything for you." No... I don't think so.
  • Yea that's not how it works but sure you can wear your tin foil hat and get your creds stolen easier by not using passwordless technologies.
  • From corporate systems being hacked, yes. From me--directly, no.
  • I mean your local computer is easily cracked if you have physical access but that isn't what this technology is for primarily. This is referring to systems that you login to such as web apps and such so your statement doesn't make sense because those are the areas you would want the most security since they could be accessed from everywhere.
  • You realize that the company that you are logging into also has your password, right?
  • One would hope. No... wait, they may not actually have the password itself at all; they should, though, be able to parse what I enter as the correct password... or not. Not quite the same thing.
  • Yes anywhere that you use a password has that password saved within a database unless you are using an identity provider (idp) then you use the credentials of the idp to login to the application. The idp still has your password saved in a database somewhere unless you are using passwordless technology. If you're using passwordless then you use multifactor to generate a temporary access token that authorizes you into the application for a certain period of time once that time is up you'll need to reauthenticate using the passwordless technology again. So again I don't see how that's the company managing your password it's more about providing a secure path to allow you into an application without actually exposing a password. (you are exposing your password anytime you type it in btw)
  • The password is being saved as an encrypted key. So, the company does not actually have your password but a long string of something. Even for these large companies it would take a lot of time and power to decrypt it. Not often are individuals interesting enough to put that effort into it.
  • I don't have a MS account and even if I did, I have no hardware on my computer to be able to use a passwordless system. I do use office 365 for work and we use passwords for that.,
  • If you have a keyboard, you have the hardware. You can use a PIN for Windows Hello, and PIN is one of the options mentioned in the article.
  • Contrary to popular belief a PIN is just a password. The only difference is they are significantly easier to crack due to a reduced number of possible options.
  • Not really, the PIN never leaves the local pc, whereas the password is being transferred over the web (in an encrypted form). So, without physical access to the pc the PIN is useless.
  • That is not true at all actually. Yes pins are easier to crack from a length perspective but the point of using a windows hello pin is that it is used to generate an access token instead of exposing your password by typing it in. Also pins are machine specific so even if you do crack them they can't be used on another pc.
  • I always thought the pin could only be used with an MS account, mainly because I have only set a pin up a couple of times on other peoples machines, and they have an MS account. But today I have done a bit of mucking around and realised a pin can be used for a local account as well. i have made another account on my computer, made that an Admin and change the one I normally use to a normal account. so nothing can be installed now without a password, but still have no need for a password on my normal account for normal use. Hopefully. Even so, the pin don't work to access websites, so passwords are still required.
  • You can also use a fido key like yubikey which is USB.
  • But that is extra hardware, and these things are not cheap, looking at around £40, ok there is one available for around £26, but it looks like it would break in half.
  • No they are metal cored not easy to break.
  • They still look flimsy, certainly with the exposed USB connector
  • I've tried using FIDO in the past, and it hasn't worked for me at all. The moment you need more than one account/email address (personal, family, work, throwaway, etc.) it completely breaks. They assume that everyone will only ever use one account for everything. To cut down on spam, I use a unique email address with every web site (that way I can completely block anyone who shares/leaks a particular address). That doesn't work at all with FIDO. It actually gets in the way because sites which support it think I want to use my FIDO account and that just isn't true. I have to go way out of my way to log in because of it. We can't have a single point of failure, or one single master account, with authentication. When someone figures out how (and they will) to get into one account all of a sudden they have access to everything. And this does absolutely nothing to prevent leaks of email addresses or other personal information from sites that are either unscrupulous or whose security is lackluster.
  • That's why in the article it said they were working on multiple accounts for passwordless sign in.
  • I'm already using passwordless sign in, so satisfying to see those failed login attempts from around world with "Incorrect Password"
  • Perfect, come use our new password/passkey/passpin/passlock system, it's secure. We already read the credentials of 240 million people who signed in since launch. But it's safe.
  • Like contactless credit/debit cards, so secure, until you lose it and someone can use it to in shops as there is no way to stop them.
  • As soon as you lose your card then disable it. I had that problem a couple of months ago.
  • You can't disable it, you can report it lost, but even then i heard that money can still be taken out for a few days after.
    Best is not to have a contactless card and if your bank carries on sending them, like mine does, stick a hole in the antenna, then it will become a normal card. M<y debit card don't work as contactless now.
    My credit card does, but I don't take it out of the house.