Microsoft accounts can go passwordless, making “password123” a thing of the past

By | September 15, 2021
Microsoft accounts can go passwordless, making “password123” a thing of the past
Getty Images

Microsoft has been working to make passwordless sign-in for Windows and Microsoft accounts a reality for years now, and today those efforts come to fruition: The Verge reports that starting today, users can completely remove their passwords from their Microsoft accounts and opt to rely on Microsoft Authenticator or some other form of verification to sign in on new devices. Microsoft added passwordless login support for work and school accounts back in March, but this is the first time the feature has been offered for regular, old individual Microsoft accounts.

Passwordless accounts improve security by taking passwords out of the equation entirely, making it impossible to get any kind of access to your full account information without access to whatever you use to verify your identity for two-factor authentication. Even if you protect your Microsoft account with two-factor authentication, an attacker who knows your Microsoft account password could still try that password on other sites to see if you’ve reused it anywhere. And some forms of two-factor authentication, particularly SMS-based 2FA, have security problems of their own.

The warning message you'll see when you turn on the passwordless account feature.
The warning message you’ll see when you turn on the passwordless account feature.
Andrew Cunningham

Microsoft has offered passwordless authentication for Windows 10 and Microsoft accounts for a while now, and if you’re already taking advantage of those features, nothing about how you sign in to your devices has to change. You just need to visit the Microsoft Account site, go to the Security tab, select “Advanced security options,” and turn on the passwordless account feature to remove your password entirely.

If you want to go fully passwordless, the easiest and most secure way for most people is to use the Microsoft Authenticator app on your phone; if you already have it installed, all you need to do to confirm the removal of your account’s password is open the app and approve the change. Other authenticator apps like Authy or Google Authenticator won’t work with the QR code format that Microsoft uses to enable passwordless accounts. You could also use a physical security token like a Yubikey or a PC with Windows Hello support to log in.

Source