As of the beginning of May, those signing up for a new account with a Microsoft service may have noticed that they were not asked to set a password. Microsoft has formally gone passwordless across its services, and while it offers users a selection of “several” alternatives it makes the most direct push for them to use a passkey.
These passkeys are stored on the user device and can be protected by facial recognition, fingerprints or a PIN. Microsoft is offering several alternatives, but these generally fall within its own sphere of software (such as Windows Hello and Microsoft Authenticator). Pre-existing accounts can continue using their passwords, but are being given an option within the services to delete it and switch to one of the new passwordless methods.
Passwordless push launched on World Password Day
Users are given a choice of passwordless options upon creating a new account, but will then be prompted to enroll a passkey. The passkeys are stored cryptographically on user devices and are accessed via either biometric facial recognition, fingerprints or a PIN. That last option might not sound much more secure than an email password at first look, but this method generally requires six to eight digits, forbids weak sequencing such as using sequential numbers, and devices generally restrict attempts to a few tries at a time before hitting a “cooldown” period.
Microsoft claims that its new passwordless methods reduce password use by over 20% and result in users signing in faster. The company added passkeys as an option for personal accounts along with a password manager for Windows Hello early last year, but there was not necessarily any warning to users that these methods might become mandatory for the creation of new accounts in the near future. At the moment, support for non-Microsoft password authenticators is also iffy. New accounts are not required to use Microsoft Authenticator, but the company has also yet to fully add support for other popular apps such as Authy and Google Authenticator. Those using unsupported methods may not be able to access their account or see certain limitations, such as being unable to remove their login passwords from pre-existing accounts.
The company has not announced any timeline for full removal of password support for existing accounts, but has expressed a desire to “eventually remove passwords altogether” once enough users switch over to passkeys or alternate methods. However, the rate of uptake remains to be seen; passkeys have generally received good reviews for security, but poor reviews for usability.
Consumers not necessarily ready for passwordless future
There remains some debate about whether passwordless systems are more secure than passwords, but the scheme does have some strong evidence on its side. The big question is usability, where it may not quite be ready for primetime.
One of the central arguments for passkeys has been that they would simplify people’s internet experience, no longer requiring them to juggle potentially hundreds of different logins that all ideally have unique passwords. However, the less technical users that are supposed to be best served by passwordless systems are among those that are most likely to encounter difficulties with it.
One simple issue is adoption; you can’t use passkeys all over the web just yet, and the Microsoft case illustrates that sometimes you need a proprietary passkey for a particular service. And those sites that do support passkeys sometimes require that users only use particular web browsers. Interfacing between passkeys and password managers (which might make this process simpler) is also far from perfect and still full of limitations. All of this adds up to a lot more downloading of apps, a lot more configuring and experimenting, and a lot more points of technical confusion. Trying to sync across multiple device types just makes the whole thing more of a headache.
There is also the question of what happens if the device the passkey is stored on is lost, stolen, damaged or just stops functioning. In this case, Microsoft’s passwordless system essentially requires you to stay in their software garden by backing the key up to a personal Microsoft account. The other option is the extra expense of purchasing a physical device such as a YubiKey, though that might also end up lost or damaged.
There is a push for passwordless systems across most of the major tech players, but Microsoft is thus far being the most aggressive about requiring it. Apple and Google both introduced passkeys as an option in 2022, but thus far are not requiring them of new accounts or have announced any plans to do so.
Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, notes that endemic password-guessing may force more companies to move in a passwordless direction: “I think this is an encouraging decision by Microsoft, long overdue. My personal O365 account is under heavy password guessing attacks by hackers and bots around the world. It’s scary to see how many times hackers are trying to guess my password…and to be honest, I’m more than a little shocked that Microsoft was not proactively warning me about it. I got a warning about “unusual activity” on my O365 account when I was logging in from Calgary, Canada, where I was visiting for a business conference. Microsoft asked me to review that activity, and when I went to my admin console to review that legitimate login, I saw hundreds of other recent password guesses against my account from all over the world. It was shocking. I wondered why Microsoft was not warning me about it, even though I use strong passwords. It must be because what’s going on to my account is so normal and routine that it doesn’t meet the criteria of warning me. I updated my O365 password to an even stronger one even though I was not breached. Microsoft did automatically offer me a passkey version as well, and that’s good, but FIDO passkeys, as great as they are (compared to passwords) are still not well-managed at the enterprise level. FIDO needs to get enterprise and cross-platform management figured out better…which they are working on. But if it isn’t done soon and well, managing your FIDO passkeys could be as big as a problem as managing your passwords. But still, I applaud what FIDO created and passkeys are more secure than passwords. I would also like to see Microsoft (and Google and every other vendor) more strongly push phishing-resistant forms of MFA and authentication. FIDO passkeys are phishing-resistant, which is exactly why I love them and FIDO. But Microsoft (and Google, and Duo, and most other vendors) still push very phishable forms of authentication that are barely any better than the passwords they were designed to replace. Microsoft allows admins to require phishing-resistant forms of MFA, but doesn’t require them to. And I get it, 90% of the world uses phishable forms of MFA and moving them to phishing-resistant forms of MFA and authentication isn’t easy. Customers are resistant. Still, a customer using or going to a phishable form of MFA or authentication is not ideal. It’s a lot of work for a false sense of security. I wish Microsoft (and Google, and Duo, and other vendors) more strongly advocated for and pushed phishing-resistant forms of authentication. We are years past when we should have already done so. The MFA industry, in general, has let customers down by allowing them to select and use phishable forms of MFA and authentication, especially when there are many phishing-resistant forms.”
Darren James, a Senior Product Manager at Specops Software, notes that support for business applications is also still lagging: “Right now, this is just for consumers, what about business or other professional users? Again, it’s better to take a layered approach, switching to passkeys may not suit the way your business operates, so passwords will still be part of the authentication story for some time to come. As mentioned above, making sure that passwords are unbreached, not just when you set them, but constantly checked to make sure they don’t become breached, and adding an additional, low friction MFA layer wherever they are used will be the best approach.”
Chris Hauk, Consumer Privacy Champion at Pixel Privacy, additionally thinks that allowing password-like PINs as an option will turn out to create the same set of problems: “I applaud any effort to make this a passwordless online society. However, while biometric authentication from fingerprints or face scanners definitely make logins more secure, I am concerned that users who choose to use a PIN will reuse the PIN across multiple sites (as other sites move to passwordless login) making PIN reuse as bad as password reuse.”
