What you need to know
- Microsoft will allow people to remove passwords from their Microsoft account.
- People will be able to securely sign in to accounts with the Microsoft Authenticator app, Windows Hello, a security key, or two-factor authentication.
- Microsoft explains that passwords are often insecure and repeated across several websites and services.
Microsoft has marched towards a passwordless future for years. That march took a significant step today when Microsoft announced that people will be able to remove passwords from their Microsoft account. To secure accounts without a password, people will be able to use the Microsoft Authenticator app, Windows Hello, a security key, or two-factor authentication. The option will roll out over the coming weeks.
Passwordless authentication started rolling out to commercial users back in March. Microsoft states that 200 million commercial customers already use the passwordless option. Many of Microsoft's own employees are passwordless as well. "We have been rolling this out at Microsoft and nearly 100 percent of Microsoft is now passwordless," said Vasu Jakkal, corporate vice president for Microsoft Security, Compliance, Identity, and Management, in a blog post.
Microsoft explains the common risks associated with passwords in a Tech Community post. Many people choose insecure passwords and repeat them across services and websites. This leaves individuals more open to attacks from threat actors.
"We are expected to create complex and unique passwords, remember them, and change them frequently, but nobody likes doing that either. For the past couple of years, we've been saying that the future is password-less, and today I am excited to announce the next step in that vision," said Jakkal.
To remove a password from your Microsoft account, you need to visit Advanced Security Options for your Microsoft account. You can then select Passwordless Account. Prompts will guide you through the process of removing your password.
We have a complete guide on how to set up two-factor authentication on a Microsoft account if you're new to Microsoft Authenticator.
Microsoft explains that it is working on a way to eliminate passwords for Azure AD accounts as well. Admins will be able to choose whether passwords are required, allowed, or don't exist for specific users.
Sean Endicott is the news writer for Windows Central. If it runs Windows, is made by Microsoft, or has anything to do with either, he's on it. Sean's been with Windows Central since 2017 and is also our resident app expert. If you have a news tip or an app to review, hit him up at email@example.com.
This would seem to be an issue for using SMB shares. In fact, I tried installing Windows using Windows Hello only, and couldn't get shares to work until I logged on using my password.
I mean, I get it, but the whole "we made your account more secure by getting rid of your password" still makes me cringe at 1st thought.... Just 20+ years in IT and hearing "there's no password" makes me want to smack someone :)
But I do understand using something like authenticator to get you into your PC. Like using 2-step but skipping the 1st step.
Now, how will this work with legacy hardware/software that doesn't let you log into your MS account without a password?
I just completed the password removal and I like it. I have just tested 4 of my devices, couple of them using Facial biometrics, the other 2 using Authenticator App.
What I don't know is how do I login when not connected online at all to a given device (Will deal with it when that happens)
If I temporarily loose my phone, How do I login to my devices that have no biometric login means? Would Pin usage still work?
"If I temporarily loose my phone, How do I login to my devices that have no biometric login means? Would Pin usage still work?"It's like Google where you can choose different methods including SMS or email to get a code. It just defaults to 2FA app.
Yes, pin usage should still work.
That's well and good. What happens when the authenticator app doesn't receive tokens or generates a code that is not recognized by the service? I've got this issue with all my accounts now with the Microsoft Authenticator App Beta (as that supported push confirmations on my 950XL). It's going to take me ages to remove the authenticator app (2FA) and re-add it to all my accounts.
"That's well and good. What happens when the authenticator app doesn't receive tokens or generates a code that is not recognized by the service?"Then you choose to have a temp code emailed or texted to you. This is all under "Ways to prove who you are" under your Microsoft security settings. You can also create temp one-use "app passwords" where 2FA/codes don't work. That's been around forever.
Anything *can be* insecure if you handle it improperly. Companies not properly securing their servers is a significant problem for users; this includes not keeping maint. and fixes up-to-date as well as poor encryption of accounts and passwords. As to users who choose to reuse passwords across multiple sites, so be it--the onus is on them way more than the entire concept of passwords. I don't reuse passwords--ever, so I'll keep using passwords rather than rely on SMS-based 2FA or having to buy some device or service to "better secure" some account(s).
"the onus is on them way more than the entire concept of passwords. "Sure, and it'd be nice if computers weren't on networks where one person's security failings couldn't be a backdoor to affect the rest of the company. We don't live in that world, hence why MS is pushing this.
"rather than rely on SMS-based 2FA"It can be app-based 2FA or even your email account. SMS 2FA is actually not a great idea.
"so I'll keep using passwords "The choice is always up to the user.
What happens if your phone died and you got to get a new number so? Esp if your only email is Microsoft and you don't have a secondary?
Then you need to contact Microsoft support. And maybe rethink how bad your life is going at that moment to lose so much personal information. Why would you need a new number if your phone "died?" I don't follow.
"Esp if your only email is Microsoft and you don't have a secondary?"Sign up for a secondary email from someone for free 🤷♂️ Maybe try Google and get a Google Voice number, which solves your other hypothetical. Of course, you could just use a password. But what happens if you fall and hit your head and lose your memory?
I remember a few years ago when people who changed their phone or phone provider got a new number, people always saying, I have a new phone, so I have a new number, it was a pain in the neck. Thankfully things are a lot better these days, if people change from one network to another they can change their numbers over with ease, I have had the same number for over 15 years and that with a a few network changes, not that I am in any rush to move networks now, while I don't have a MS account, if I did, it seems more hassle to go passwordless than to use a password or a pin.
"while I don't have a MS account, if I did, it seems more hassle to go passwordless than to use a password or a pin."You still need/use a PIN per device as it is needed for Windows Hello. I assure you, removing a password is much easier than remembering a 20-digit one or opening your PW manager to go fetch it. Of course, you could have an easy-to-remember 7 digit password, but that's exactly the problem this tries to solve as that PW is not secure.
I use a password manager. I've gotten good at it. All the sites I visit have unique passwords generated by the password manager I use. I'm wondering how this new feature is going to affect the password manager marketplace?
Well in your case you can most likely use a sonic screwdriver. Jelly baby? :-)
Last I tried, I did not get any option to log in to my Xbox one without password. Is that fixed now?
I much prefer a stateless password manager that doesn't store anything anywhere.
Just went password less on my main accounts. Don't fail me authenticator!
Get the best of Windows Central in in your inbox, every day!
Thank you for signing up to Windows Central. You will receive a verification email shortly.
There was a problem. Please refresh the page and try again.