Microsoft is extending its passwordless sign-in option from enterprise customers that use Azure Active Directory (AAD) to consumer Microsoft accounts on Windows 10 and Windows 11 PCs.
“We’re extending that same passwordless technology that we had for commercial earlier this year to consumers. It’s simple to set up. If you have a Microsoft account, you can use the Authenticator [app] and within a few steps you can be passwordless,” says Vasu Jakkal, Microsoft corporate vice president of the Microsoft Security, Compliance, Identity and Management division.
“We are going completely passwordless for Microsoft accounts. So you don’t need a password at all.”
Users often pick bad passwords because they’re easy to remember and those passwords are prone to password spraying attacks, where hackers use a list of common passwords against online accounts in the knowledge that some people will have used them.
But does this mean the death of the password? The OAuth and FIDO2 standards are helping usher in easier ways to use smartphones as two-factor or multi-factor authentication (2FA, MFA) options.
But even for a software giant like Microsoft, which has over one billion PCs in use today, solving the password problem takes the entire industry to support, including operating system, browser makers and application developers. Windows PCs and Microsoft accounts for Microsoft apps, like Office. OneDrive, and Outlook, are a big part of the answer, but they’re not the whole picture.
Nonetheless, Jakkal insists Microsoft is making headway.
“Nearly 100% of our employees are passwordless. We use Windows Hello and biometrics. Microsoft already has 200 million passwordless customers across consumer and enterprise,” says Jakkal.
At the moment, the option for password free login is only for Microsoft accounts, but this extends to Microsoft apps on iOS, Android, and Windows.
While it’s not so common to use Microsoft accounts to sign-in to third-party apps, it is more likely that people with a Microsoft account are using online Office apps like Teams, PowerPoint, Excel, Word or SharePoint.
The Microsoft Authenticator app for iOS and Android will now give consumers an option to use passwordless sign-in for supported apps that rely on a Microsoft account. You don’t need a password to sign in to the Microsoft account and wherever you use that account for whichever apps you are using it, you are password free.
Microsoft apps that still require a password include:
- Xbox 360 or earlier
- Office 2010 or earlier
- Office for Mac 2011 or earlier
- Products and services which use IMAP and POP email services
- Windows 7, Windows 8.1, Windows 10 1809 or earlier.
- Some Windows features including Remote Desktop and Credential Manager
The push for passwordless sign-in has been a multi-year effort underway at Microsoft and has required work to develop specifications for FIDO, the organization driving two-factor authentication and passwordless standards, Microsoft Identity corporate vice president, Alex Simons, tells ZDNet.
“That was a modification of the Windows Hello protocol we originally created for Microsoft use. Google and Microsoft submitted that together through FIDO and over time we had a bunch of work and we have today what we know as WebAuthn and all of the supporting standards that make FIDO2 possible.”
Simons explains that the support for passwordless sign-in with consumer Microsoft accounts means that end-users can completely remove passwords as a sign-in option. That, effectively, can close off the threat of password spraying attacks for Microsoft accounts and encourages consumers to use alternative sign-in methods for accessing Microsoft accounts.
“For the first time we’re giving Microsoft account users not just the chance to use passwordless authentication, which they’ve had for years now, but actually the ability to go in and completely remove their passwords. So you can basically block sign-in with passwords to your Microsoft account and always insist on a passwordless factor that could be Windows Hello or a FIDO2 key from partners like YubiKey, or the Authenticator app,” says Simons.
“We’re also pushing Apple and Google to support the standard natively,” he adds.