Microsoft is once again moving closer to a passwordless future.
In a bold step toward embracing passkeys – which uses cryptography to better protect data from hackers and phishing scams – new Microsoft accounts will now be passwordless by default. Instead, the company will issue a prompt to set up passkeys as part of an effort to make the process more secure.
The company announced the news on World Password Day, which is observed on the first Thursday in May – a day that’s been used to encourage people to review their passwords and security settings since Intel created the event in 2013.
The need to get a better grasp on password protection comes at a time when many big tech companies are pushing to eliminate passwords altogether. Apple rolled out passkeys as part of iOS 16 in 2022, followed by Google, which allows people to sign in to Google and other popular accounts such as Amazon, WhatsApp and PayPal via fingerprint, face scan, PIN or pattern using a device’s lock screen.
«Although passwords have been around for centuries, we hope their reign over our online world is ending,» Microsoft said in a blog post.
Weak passwords don’t just make users vulnerable to hackers, they’re also often reused across multiple platforms, from banking apps to email to social media.
Now when a new Microsoft user attempts to enter a password and set up a «one time code» on their account, the company will prompt them to sign in with the code instead of the password and then encourage them to enroll a passkey. When they visit again, they’ll be prompted to sign in with the passkey – not a password. Meanwhile, existing users can visit their account settings to delete their password.
«This simplified experience gets you signed in faster and in our experiments has reduced password use by over 20%,» the company added. «As more people enroll passkeys, the number of password authentications will continue to decline until we can eventually remove password support altogether.»
Last year, the company introduced passkey support for Microsoft accounts for its consumer apps and services like Xbox and Copilot. It has since seen nearly a million passkeys registered every day.
Not a perfect solution
Lorrie Cranor, a security professor at Carnegie Mellon University, acknowledged that passkeys generally have security advantages over passwords, especially because many consumers still use the same password for many accounts, but said passkeys aren’t perfect either.
«From a security perspective, it is great to see them being pushed out to consumers, but I do have some concerns about their usability, especially in cases where consumers have multiple devices or lose or upgrade a device.» she said. «Shared accounts and devices may also be problematic.»
However, she said the companies pushing for passkeys should address the usability issues, implement secure and usable fallback authentication procedures over time.
«[They’ll need to] support users who run into problems,» Cranor said.
