Microsoft Accounts Now Support Passwordless Login via FIDO 2 Security Keys

YubiKey 5 family

Microsoft and Yubico announced today that all Microsoft account owners using the latest Windows 10 version (build 1089) and the Edge browser will be able to log in to their accounts using nothing but a FIDO2/WebAuthn-enabled security key like Yubikey 5.

FIDO 2 Passwordless Login

Microsoft and Yubico have been working on the FIDO 2 specification along with others in the FIDO Alliance and the W3C for the past few years. Their objective was to give users a way to log into websites without needing any passwords--just a hardware token, such as a USB security key.

A FIDO 2 security key is not to be confused with a FIDO Universal 2nd Factor (U2F) security key, which works as a second authentication factor with the password being the first authentication factor. A FIDO 2 security key essentially replaces both but works much like a U2F key by using public key cryptography. The user only has to press a button on the security key to log into a website if they use a browser (such as Edge) that supports the WebAuthn web API, which connects the FIDO 2 hardware to a website's server.

Increased Simplicity and Security

One of the main ideas behind FIDO 2 and WebAuthn is to make it easier to log into dozens or hundreds of websites without having to use or remember passwords, which are inherently risky, for all of them.

Compared to password managers, FIDO 2 security keys are easier to use, but also more secure, because the physical security key is always in your possession. The downside is that they are not free like some password managers are, and you’ll always need a backup security key in case you lose or break the main one. If you do lose your primary security key and you don’t have a backup key, you may not be able to get back into your accounts--at least if the services that use FIDO2 keys don’t compromise that security by offering recovery options with weaker security.

How to Register a FIDO 2 Seucirty Key With a Microsoft Account

Yubico shared instructions for how to register a FIDO 2-compliant security key with your Microsoft account: 

  1. Launch Microsoft Edge on the latest Windows 10 update (version 1809). Visit the Microsoft account page and sign in as you normally would. Then, click Security > More security options, and select Set up a security key.
  2. Identify what type of security key you have (USB or NFC) and select Next.
  3. You will be redirected to the setup experience, where you will insert or tap your security key. This generates a unique public-private key pair between your key and your Microsoft account, and only the key stores the private key. The public key is stored with the Microsoft service to allow for verification of your authentication.  
  4. You will then be prompted to set a unique PIN to protect your key. This PIN is stored locally on the security key--not with Microsoft accounts.  
  5. Take the follow-up action by touching your security key.
  6. Name your security key so that you can distinguish it from other keys.
  7. Sign out and open Microsoft Edge, select "use security key instead" and sign in by inserting or tapping your key and entering your PIN.
Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.