From this week, Microsoft won't require you, or your password manager, to come up with strings of letters, numbers, and special characters forming a silly sentence or a reconfiguration of an ex’s name and birthday to access the Windows giant's services.
That is to say, you can delete the password from your Microsoft account, and login using the Microsoft Authenticator app, Windows Hello, a security key, or a verification code sent to your cellphone or email inbox. (Last year, Redmond said SMS codes were unsafe for authentication, we note.)
When you set up your passwordless Microsoft account, you'll be rewarded with this chirpy box...
But isn't this going down to single-factor authentication, you might be thinking. Well, the argument is that, for example, you need to not only have your phone in your hand but you must also be able to unlock it to run the authenticator app, and then use your fingerprint or PIN to get into your account – and there's your multi-factor authentication.
The IT goliath has been building up to this for ages – in 2004, Bill Gates predicted the death of passwords – and as recently as March it made passwordless authentication in Azure Active Directory generally available. Now it's coming to Microsoft accounts and associated apps and services, plus or minus some caveats.
The rationale given for this is that humans forget passwords, assign obvious ones, and reuse their favorites, which leads to folks being locked out or preyed upon by miscreants who use weak, leaked, or reused passwords to break into people's accounts.
“Weak passwords are the entry point for the majority of attacks across enterprise and consumer accounts. There are a whopping 579 password attacks every second — that’s 18 billion every year,” Redmond veep Vasu Jakkal claimed in announcing the news on Wednesday.
Jakkal had more numbers. From a survey, 15 per cent of people polled used their pets’ names as a password, 40 per cent say they’ve used a formula to create their passwords, and 10 per cent admitted they reused passwords. In a Twitter poll, 20 per cent of respondents said they would rather accidentally and embarrassingly “reply all” to a message than go through the hassle of resetting a password.
Additionally, the tech giant said nearly 100 per cent of its employees are passwordless when it comes to their corporate accounts.
- Log right in, the water's fine, whispers Microsoft as it adds autofill to Authenticator app
- We can't believe people use browsers to manage their passwords, says maker of password management tools
- GitHub picks Friday 13th to kill off password-based Git authentication
- The Microsoft Authenticator extension in the Chrome store wasn't actually made by Microsoft. Oops, Google
This password-free login approach isn't available right across Microsoft's vast empire, though it can be used with "apps and services like Microsoft 365, Microsoft Teams, Outlook, OneDrive, Family Safety, Microsoft Edge and more," we're told. Office 2010 or older, Remote Desktop, and Xbox 360 will require a password. And for signing into Windows, you need to be on version 10 or 11.
The reversible process for ditching a password involves downloading and linking the Microsoft Authenticator App to your personal Microsoft account, going to your account settings, navigating to Advanced Security Options and then Additional Security Options, and turning on Passwordless Account.
Now all you have to do is keep your other authentication methods safe and secure. ®