Microsoft says it’s making passwordless logins the default means for signing in to new accounts, as the company helps drive an industry-wide push to transition away from passwords and the costly security problems they have created for companies and their users.
A key part of the “passwordless by default” initiative Microsoft announced on Thursday is encouraging the use of passkeys—the new alternative to passwords that Microsoft, Google, Apple, and a large roster of other companies are developing under the coordination of the FIDO Alliance.
Going forward, Microsoft will make passkeys the default means for new users to sign in. Existing users who have yet to enroll a passkey will be presented with a prompt to do so the next time they log in.
The push to passkeys is fueled by the tremendous costs associated with passwords. Creating and managing a sufficiently long, randomly generated password for each account is a burden on many users, a difficulty that often leads to weak choices and reused passwords. Leaked passwords have also been a chronic problem.
What’s more, over the past decade, attacks such as password spraying have grown increasingly effective at breaching sensitive networks, Microsoft’s own included.
Here’s the fine print
Left out of Microsoft’s announcement is that even after users create a passkey, they can’t go passwordless until they install the Microsoft Authenticator app on their phone. Microsoft has made Authy, Google Authenticator, and similar apps incompatible, a choice that needlessly inconveniences users and undermines the whole “passwordless by default” marketing message.
Using Microsoft Authenticator isn’t a requirement for using a passkey, but account holders who don’t have it will be unable to ditch their login passwords. With a password still associated with the account, many of the security benefits of passkeys are undermined.