For the past few years, Microsoft has been predicting a future where you don't need a password (opens in new tab), thanks to the use of verification codes, biometric identifiers or authentication apps. Today, the company is putting its money where its mouth is and allowing you to take the password off your Microsoft account.
Those who opt out of passwords will be able to use Microsoft's Authenticator app for Android or iOS, Windows Hello facial recognition or fingerprint sensing, security keys or verification codes sent to phones or emails to sign into Micorsoft's apps and services.
In a blog post, corporate vice president of Microsoft security, Vasu Jakkal, wrote that these services include Outlook, OneDrive and Microsoft Family Safety, and that this option will come out over "the coming weeks"
To remove the password, you'll need to have Microsoft Authenticator on your iOS or Android device and connect it to your Microsoft account. Then, you'll have to go to account.microsoft.com, log in and go to "Advanced Security Options." In the "Additional Security" menu, there will be an option called "Passwordless Account" that you can turn on.
This will result in a series of on-screen prompts, which will ultimately leave you sans password. You can add one back to your account — this isn't a mandate just yet.
Microsoft's reasoning here is that passwords aren't user friendly and that they're security risks on their own.
"Updates are often required on a regular basis, yet to create passwords that are both secure enough and memorable enough is a challenge," Jakkal wrote. "Passwords are incredibly inconvenient to create, remember, and manage across all of the accounts in our lives." Microsoft's studies suggest that one in 10 people reuse passwords across different services, while 40% use a formula that changes predictably. The company also says that it has become easier for hackers to guess passwords, and points out that once a password hits the dark web, it can be used to easily compromise accounts.
This could, of course, potentially cause some confusion. If you use a key, for instance, you need to ensure you always have it. If you use a message sent to a smartphone, you have to make sure you have a backup method if you ever change SIMs, like while travelling. So if you're not prepared, you could still potentially get locked out.
Microsoft's approach runs counter to the other leading idea for increasing security: a mix of password managers with two-factor authentication. Instead of something you know, it's focusing on something you have (a security key) or even something you are (facial recognition).
Microsoft's services and accounts are a start, but we'll see going forward if it is able to lead a charge that causes others to remove passwords from their services.
They've had one for a while. In any case, I suggest Authy if you want to consolidate, since it's compatible with most of the OTP 2FAs I've encountered.
Trying to remove the Passwords from your Account System is going to cause ALOT of unforseen issues and security vulnerabilities.
But my Windows Hello is 1234