Microsoft Will Let You Remove Passwords From Your Account

A lock and chain sitting on a laptop keyboard
(Image credit: Shutterstock)

For the past few years, Microsoft has been predicting a future where you don't need a password, thanks to the use of verification codes, biometric identifiers or authentication apps. Today, the company is putting its money where its mouth is and allowing you to take the password off your Microsoft account.

Those who opt out of passwords will be able to use Microsoft's Authenticator app for Android or iOS, Windows Hello facial recognition or fingerprint sensing, security keys or verification codes sent to phones or emails to sign into Micorsoft's apps and services.

In a blog post, corporate vice president of Microsoft security, Vasu Jakkal, wrote that these services include Outlook, OneDrive and Microsoft Family Safety, and that this option will come out over "the coming weeks"

To remove the password, you'll need to have Microsoft Authenticator on your iOS or Android device and connect it to your Microsoft account. Then, you'll have to go to account.microsoft.com, log in and go to "Advanced Security Options." In the "Additional Security" menu, there will be an option called "Passwordless Account" that you can turn on.

This will result in a series of on-screen prompts, which will ultimately leave you sans password. You can add one back to your account — this isn't a mandate just yet.

Microsoft's reasoning here is that passwords aren't user friendly and that they're security risks on their own.

"Updates are often required on a regular basis, yet to create passwords that are both secure enough and memorable enough is a challenge," Jakkal wrote. "Passwords are incredibly inconvenient to create, remember, and manage across all of the accounts in our lives." Microsoft's studies suggest that one in 10 people reuse passwords across different services, while 40% use a formula that changes predictably. The company also says that it has become easier for hackers to guess passwords, and points out that once a password hits the dark web, it can be used to easily compromise accounts.

This could, of course, potentially cause some confusion. If you use a key, for instance, you need to ensure you always have it. If you use a message sent to a smartphone, you have to make sure you have a backup method if you ever change SIMs, like while travelling. So if you're not prepared, you could still potentially get locked out.

Microsoft's approach runs counter to the other leading idea for increasing security: a mix of password managers with two-factor authentication. Instead of something you know, it's focusing on something you have (a security key) or even something you are (facial recognition).

Microsoft's services and accounts are a start, but we'll see going forward if it is able to lead a charge that causes others to remove passwords from their services.

Andrew E. Freedman

Andrew E. Freedman is a senior editor at Tom's Hardware focusing on laptops, desktops and gaming. He also keeps up with the latest news. A lover of all things gaming and tech, his previous work has shown up in Tom's Guide, Laptop Mag, Kotaku, PCMag and Complex, among others. Follow him on Threads @FreedmanAE and Mastodon @FreedmanAE.mastodon.social.

  • ThatMouse
    I already have 3 authenticator apps on my phone! Why is Microsoft creating a new one?
    Reply
  • hotaru.hino
    I don't know if I like this, because it's removing a layer of protection.

    ThatMouse said:
    I already have 3 authenticator apps on my phone! Why is Microsoft creating a new one?
    They've had one for a while. In any case, I suggest Authy if you want to consolidate, since it's compatible with most of the OTP 2FAs I've encountered.
    Reply
  • Kamen Rider Blade
    This won't end well IMO.

    Trying to remove the Passwords from your Account System is going to cause ALOT of unforseen issues and security vulnerabilities.
    Reply
  • plateLunch
    I wish they could find a way to get my cell phone out of the security loop. With all the SIM swaps going on, seems like a bigger weak link because you can't use good practices to protect against it.
    Reply
  • Alvar "Miles" Udell
    My password is DS134@#$%sdfgoij@#$rASDFGt4398ASDFAWSEDG!@#$5

    But my Windows Hello is 1234


    So secure...
    Reply
  • hotaru.hino
    Alvar Miles Udell said:
    My password is DS134@#$%sdfgoij@#$rASDFGt4398ASDFAWSEDG!@#$5

    But my Windows Hello is 1234

    So secure...
    Well the difference here is it only works on that device, but your password works no matter what you're logging in from.
    Reply