Skip to main content

Microsoft's righteous attack on passwords to march ahead in 2021

Windows Hello on Razer Blade Stealth
Windows Hello on Razer Blade Stealth (Image credit: Daniel Rubino / Windows Central)

What you need to know

  • Microsoft is working towards a future without passwords, as highlighted by a new blog post.
  • Passwords can create security risks and be difficult to remember.
  • Microsoft supports a wide range of passwordless technology.

Microsoft has worked for years to move towards a future without passwords, or at least with significantly fewer of them. Windows Hello allows people to sign into their devices without a password and Microsoft works with several partners to allow people to use devices without passwords. A new blog post (opens in new tab) from Microsoft highlights some of the major steps forward in 2020 for passwordless technology and the future of the tech in 2021.

As highlighted by Microsoft in its blog post, passwords create security risks and can be a hassle to use. Microsoft highlights some key indicators that show that passwordless tech is on the rise:

  • Passwordless usage in Azure Active Directory is up by more than 50 percent for Windows Hello for Business, passwordless phone sign-in with Microsoft Authenticator, and FIDO2 security keys.
  • More than 150 million total passwordless users across Azure Active Directory and Microsoft consumer accounts.
  • The number of consumers using Windows Hello to sign in to Windows 10 devices instead of a password grew to 84.7 percent from 69.4 percent in 2019.

According to the World Economic Forum, an estimated 80 percent of cybercrime attacks are directed at passwords. To help people move away from passwords, Microsoft works with companies like YubiKey, HID Global, Trustkey, and AuthenTrend. In February, Microsoft also rolled out preview support of Azure Active Directory for FIDO2 security keys.

In 2021, Microsoft plans to release a converged registration portal, which allows people to manage passwordless credentials through the My Apps Portal (opens in new tab).

If you want to add biometric security to your PC and move away from passwords, you can grab a webcam with Windows Hello or a fingerprint reader with Windows Hello.

Sean Endicott
News Writer and apps editor

Sean Endicott brings nearly a decade of experience covering Microsoft and Windows news to Windows Central. He joined our team in 2017 as an app reviewer and now heads up our day-to-day news coverage. If you have a news tip or an app to review, hit him up at (opens in new tab).

  • I wouldn't call biometric security "righteous" at all. It's a legitimate privacy invasion. If that kind of data is stolen, it's not something you can change like a password--if they steal hashes of biometrics, you can't change your eyes or fingers. It's a major trust to give biometric info to companies without a real fallback for when things go wrong. We've yet to see the kind of damage such a breach can cause. Microsoft's biometric stuff has worked really well so far, at least. We've seen, though, that such things can be cheated and gotten around, like with smartphone fingerprint sensors and 2D camera security on phones. I'm fine sticking with traditional passwords for now. Attacks on passwords are usually aimed at people who don't think through security before clicking links or giving passwords to "trustworthy" people trying to help them. Social engineering is the bigger issue, not that passwords themselves cannot be protected.
  • "It's a major trust to give biometric info to companies "
    Let's correct this: at no point do you "give biometrics" to Microsoft. That never happens. Biometrics doesn't leave the device EVER. It's not on the cloud. Microsoft has been very clear on this since 2015 with dozens of papers/articles/talks on the topic and being very transparent on how it all works. Biometric info is encrypted and stored locally on whatever device it was registered on. From Microsoft themselves:
    "The biometric data used to support Windows Hello is stored on the local device only. It doesn't roam and is never sent to external devices or servers. This separation helps to stop potential attackers by providing no single collection point that an attacker could potentially compromise to steal biometric data. Additionally, even if an attacker was actually able to get the biometric data from a device, it cannot be converted back into a raw biometric sample that could be recognized by the biometric sensor." "Each database has a unique, randomly generated key that is encrypted to the system. The template data for the sensor will be encrypted with this per-database key using AES with CBC chaining mode. The hash is SHA256. Some fingerprint sensors have the capability to complete matching on the fingerprint sensor module instead of in the OS. These sensors will store biometric data on the fingerprint module instead of in the database file."
    From another article:
    "That’s why Microsoft and other security companies in the Fast IDentity Online (FIDO) Alliance developed the FIDO2 standard to raise the bar for securing credentials. Rest assured, Microsoft uses FIDO2-compliant technology that does NOT view, store, or transfer ANY biometric images."
    When a user creates a biometric sign-in, Windows Hello uses an algorithm to create a unique identifier that is stored locally on the device, encrypted and secured, and never shared with Microsoft. Each time a user signs in, the biometric is compared against the unique identifier. If there is a match, the user is authenticated to the device. So, I'm really confused what you mean exactly by "legitimate privacy invasion." Can you elaborate?
  • "biometrics doesn't leave your device ever"
    This does not mean you did not give them your passwords. They have access to your app and pc at any point illegally or legally through updates. It's like using those popular third party clone hard drive tools and they claim it only gives you an exact replica of your file system without malware. I never used password apps from any company except reluctantly so, the built-in pass manager in Edge.
    Many years before that I stored them in outlook notes.
    I don't even allow Google to save passwords to Google accounts on an android.
  • >> "Attacks on passwords are usually aimed at people who don't think through security before clicking links or giving passwords to "trustworthy" people trying to help them." That's true, but you're not going to get all humans everywhere to play ball. For the safety of everyone, nudging people to use passwordless machine-generated keys is better, directly addressing your point. Biometric security is one way to do this. >> "It's a legitimate privacy invasion." "Social engineering is the bigger issue, not that passwords themselves cannot be protected." Dude, you lost me. Also please read Daniel Rubino's comment here - it makes a really important point.
  • Okay. Let's see how much effort put into it this time, because I seem to be the only one to remember their pre-Windows 10 launch promises of some kind of universal biometric system to replace passwords. Sounds awfully familiar? 2015.
  • It still exists, it's just standardized U2F/FIDO/FIDO2 now. I'm not sure what Microsoft's initial version was on launch, since I don't think FIDO2 existed yet (U2F/FIDO was google's own thing). Eventually once FIDO2 was standardized, Microsoft either canned their thing or just folded what they'd done into their FIDO2 implementation. So if I go to any Microsoft website (on a supported browser, UWP apps that haven't updated built in browsers likely won't work), I can log into my account using just my security key or my face. I had to turn it on, but it's great. AFAIK Microsoft's website is the only one who completely supports passwordless FIDO2 without even having to enter a username. Most other websites I've found still use the security key as a 2-Factor, and don't think they support Windows Hello. Will likely be a while until we see it, since a lot of browsers only got full support early this year or late last year (if my memory is correct), and companies are slow because why improve things if you can still get money out of people. Just wish I could use my Yubikey to log in to my Windows computer (natively, not any of the weird admin tools Yubikey provides)
  • They can try to get rid of passwords, but they are not going to succeed
  • They will likely restructure the company and cancel development of this like they do often when they have all this free time and don't know what to do with it.