It's time to delete that hunter2 password from your Microsoft account, says IT giant

And go passwordless, use auth app, keys, Windows Hello, or codes to login


From this week, Microsoft won't require you, or your password manager, to come up with strings of letters, numbers, and special characters forming a silly sentence or a reconfiguration of an ex’s name and birthday to access the Windows giant's services.

That is to say, you can delete the password from your Microsoft account, and login using the Microsoft Authenticator app, Windows Hello, a security key, or a verification code sent to your cellphone or email inbox. (Last year, Redmond said SMS codes were unsafe for authentication, we note.)

When you set up your passwordless Microsoft account, you'll be rewarded with this chirpy box...

Screenshot acknowledging your password has been removed from your Microsoft account

But isn't this going down to single-factor authentication, you might be thinking. Well, the argument is that, for example, you need to not only have your phone in your hand but you must also be able to unlock it to run the authenticator app, and then use your fingerprint or PIN to get into your account – and there's your multi-factor authentication.

The IT goliath has been building up to this for ages – in 2004, Bill Gates predicted the death of passwords – and as recently as March it made passwordless authentication in Azure Active Directory generally available. Now it's coming to Microsoft accounts and associated apps and services, plus or minus some caveats.

The rationale given for this is that humans forget passwords, assign obvious ones, and reuse their favorites, which leads to folks being locked out or preyed upon by miscreants who use weak, leaked, or reused passwords to break into people's accounts.

“Weak passwords are the entry point for the majority of attacks across enterprise and consumer accounts. There are a whopping 579 password attacks every second — that’s 18 billion every year,” Redmond veep Vasu Jakkal claimed in announcing the news on Wednesday.

Jakkal had more numbers. From a survey, 15 per cent of people polled used their pets’ names as a password, 40 per cent say they’ve used a formula to create their passwords, and 10 per cent admitted they reused passwords. In a Twitter poll, 20 per cent of respondents said they would rather accidentally and embarrassingly “reply all” to a message than go through the hassle of resetting a password.

Additionally, the tech giant said nearly 100 per cent of its employees are passwordless when it comes to their corporate accounts.

This password-free login approach isn't available right across Microsoft's vast empire, though it can be used with "apps and services like Microsoft 365, Microsoft Teams, Outlook, OneDrive, Family Safety, Microsoft Edge and more," we're told. Office 2010 or older, Remote Desktop, and Xbox 360 will require a password. And for signing into Windows, you need to be on version 10 or 11.

The reversible process for ditching a password involves downloading and linking the Microsoft Authenticator App to your personal Microsoft account, going to your account settings, navigating to Advanced Security Options and then Additional Security Options, and turning on Passwordless Account.

Now all you have to do is keep your other authentication methods safe and secure. ®

Similar topics


Other stories you might like

  • Developers offered browser-based fun in VSCode.dev and Java action in Visual Studio Code

    Looking at code here, there and (almost) everywhere

    Microsoft has whipped the covers off yet another take on code-in-the-browser with a lightweight version of Visual Studio Code, while unveiling the version 1.0 release of support for Red Hat Java in the freebie source wrangler.

    It comes after last month's preview of the code editor that runs entirely in the browser, and will doubtless have some users pondering the difference between this and Microsoft-owned GitHub's github.dev, which also pops a development environment into the browser. One of the biggest of those differences is a lack of compulsory integration with the VS source-shack; this is unavoidable with github.dev (the clue is, after all, in the URL.)

    VSCode.dev, on the other hand, will permit the opening up of a file from a local device (if the browser allows it and supports the File System Access API) in what looks for all the world like an instance of Visual Studio Code, except surrounded by the gubbins of a browser.

    Continue reading
  • No swearing or off-brand comments: AWS touts auto-moderation messaging API

    Automate everything – but while human moderation is hard, robot moderation tends not to work

    AWS has introduced channel flows to its Chime messaging and videoconferencing API, the idea being to enable automatic moderation of profanity or content that "does not fit" the corporate brand.

    Although Amazon Chime has a relatively small market share in the crowded videoconferencing market, the Chime SDK is convenient for developers building applications that include videoconferencing or messaging, competing with SDKs and services from the likes of Twilio or Microsoft's Azure Communication Services. In other words, this is aimed mainly at corporate developers building applications or websites that include real-time messaging, audio or videoconferencing.

    The new feature is for real-time text chat rather than video and is called messaging channel flows. It enables developers to create code that intercepts and processes messaging before they are delivered. The assumption is that this processing code will run on AWS Lambda, its serverless platform.

    Continue reading
  • UK government puts £5bn on the table in trawl for public sector networks services

    I dream of wires, say Whitehall’s big buyers

    The UK's central government procurement agency is chumming the waters around the market's swimmers, hoping to tempt suppliers into providing a range of computer network services and kit with a £5bn tender.

    The buying spree, which will officially begin when a framework agreement starts in fiscal 2023, involves a large spread of hardware, software and services around IT networks. Included are categories such as networking, internet and intranet software packages, network interfaces, network operating system software development services and so on.

    Crown Commercial Service, the cross-government buying organisation that sits within the Cabinet Office, has launched what is known as a "prior information notice" to start talking to suppliers before it forms the official competition to be on the framework: a group of contracted suppliers from which a huge number of public sector bodies can buy.

    Continue reading

Biting the hand that feeds IT © 1998–2021