Microsoft makes passkeys the default authentication method for all new accounts
They can’t steal your password if you don’t have one.

Microsoft now uses passkeys by default for all new accounts, helping its users stay secure by ensuring that their passwords can’t be stolen by not having one. Microsoft will ask you for an email address when creating an account for the first time. It will then send a verification code to confirm your identity, and once done, it will become your default credential for your new account.
After you’ve created your Microsoft account and signed in, the company will ask you to add a passkey. Once you have done so, you can use Windows Hello or your device’s biometric security features to access your account.
Passkeys have been around for almost a decade, with Windows 10 getting support for passwordless sign-in in July 2015. However, it took some time for the standard to gain traction, with Google, Apple, and Microsoft rolling it out to their respective operating systems in 2022.
Furthermore, personal Microsoft accounts only received this feature in 2024. Still, this is a welcome development, as it will make accessing your Microsoft account easier and more secure. After all, this is one less password you need to remember among the hundreds, if not thousands, of passwords you keep for your numerous accounts.
Microsoft wants to kill passwords
The company has updated the user experience for its login pages by detecting the best authentication method from the start instead of offering all the possible options.
“For example, if you have a password and “one-time code” set up on your account, we’ll prompt you to sign in with your one-time code instead of your password. After you’re signed in, you’ll be prompted to enroll a passkey. Then the next time you sign in, you’ll be prompted to sign in with your passkey,” said Microsoft Identity & Network Access President Joy Chik and Microsoft Security Corporate VP Vasu Jakkal. “This simplified experience gets you signed in faster and, in our experiments, has reduced password use by over 20%. As more people enroll passkeys, the number of password authentications will continue to decline until we can eventually remove password support altogether.”
Passwordless accounts will make it harder for bad actors to illicitly access accounts, as they can no longer steal credentials through phishing, keylogging, SIM swapping, and more. And even if you lose your passkey device, you’re still protected, as anyone who wants to access your data must use your biometrics to open it. Someone determined and with unlimited resources might still be able to circumvent passkey protection, but for the average person, this should be more than enough to increase their data security.
Stay On the Cutting Edge: Get the Tom's Hardware Newsletter
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
Follow Tom's Hardware on Google News to get our up-to-date news, analysis, and reviews in your feeds. Make sure to click the Follow button.

Jowi Morales is a tech enthusiast with years of experience working in the industry. He’s been writing with several tech publications since 2021, where he’s been interested in tech hardware and consumer electronics.
-
2Be_or_Not2Be
Technically, it's vendor-neutral, but it does require support by the local OS (which almost all do now).TheSecondPower said:Passkeys look to me like a form of vendor lock-in.
It's basically creating a secure key pair between your "login" identity and a local device that you own. It helps knock out phishing-scams, keylogging, and the like because you need the physical device as part of the authentication. It's actually faster and more secure than straight passwords. -
Grobe Will this cause creation of a new hotmail account harder, for those that don't use Windows as OS ?Reply -
hotaru251
its the 1 feature I use in desktop win10.2Be_or_Not2Be said:It's actually faster and more secure than straight passwords.
Much faster to use my pin for log in than my much longer password -
punkncat Will this mean they are also going to do away with the ability to use a local user/password method?Reply
I prefer working within my local network using username/pass for ease of access between PC shares as well as RDC. About the time you change things to "let Windows decide" on your shares then connection issues abound. -
TheSecondPower
So if I use the Windows passkey system to log into 15 different websites, and I want to log into those same websites on Linux, Android, iOS, and MacOS, can I do that?2Be_or_Not2Be said:Technically, it's vendor-neutral, but it does require support by the local OS (which almost all do now).
It's basically creating a secure key pair between your "login" identity and a local device that you own. It helps knock out phishing-scams, keylogging, and the like because you need the physical device as part of the authentication. It's actually faster and more secure than straight passwords. -
Misgar
Same here. When I'm installing Windows in remote locations with no broadband or 4G/5G internet access, this might make things difficult. I'm discounting satellite internet because the end users may not be able to afford this option. Some folk don't need extra bells and whistkes or Copilot. Maybe Linux would be a better choice?punkncat said:I prefer working within my local network using username/pass for ease of access between PC shares as well as RDC. -
dwd999 If you want to see why this is a good idea, log into your Microsoft account, select Account, Security, and See Your Sign-In Activity. When I look at mine I see unsuccessful attempted sign-ins from all over the world, as many as a dozen a day. I'm smart enough that I don't have any financial information listed under Payment Methods so they can't buy anything. But for someone who would enter payment information its a real hazard.Reply -
USAFRet
Indeed.dwd999 said:If you want to see why this is a good idea, log into your Microsoft account, select Account, Security, and See Your Sign-In Activity. When I look at mine I see unsuccessful attempted sign-ins from all over the world, as many as a dozen a day. I'm smart enough that I don't have any financial information listed under Payment Methods so they can't buy anything. But for someone who would enter payment information its a real hazard.
This is recent activity on my MS acct:
https://i.imgur.com/VSSPMUj.png -
Alvar "Miles" Udell Is quite convenient, I've used a PIN for ages with Windows Hello and Microsoft Authenticator for when account access is required. While it is far more secure than a password, it's not exactly friendly to people who don't keep a phone near them, refuse to use an app authenticator, or don't have service.Reply
Ideally people would use a FIDO key (I don't), but pin and app are good enough.