Recommended reading

Microsoft makes passkeys the default authentication method for all new accounts

News
By published

They can’t steal your password if you don’t have one.

Microsoft passkey login
(Image credit: Microsoft)

Microsoft now uses passkeys by default for all new accounts, helping its users stay secure by ensuring that their passwords can’t be stolen by not having one. Microsoft will ask you for an email address when creating an account for the first time. It will then send a verification code to confirm your identity, and once done, it will become your default credential for your new account.

After you’ve created your Microsoft account and signed in, the company will ask you to add a passkey. Once you have done so, you can use Windows Hello or your device’s biometric security features to access your account.

Passkeys have been around for almost a decade, with Windows 10 getting support for passwordless sign-in in July 2015. However, it took some time for the standard to gain traction, with Google, Apple, and Microsoft rolling it out to their respective operating systems in 2022.

Furthermore, personal Microsoft accounts only received this feature in 2024. Still, this is a welcome development, as it will make accessing your Microsoft account easier and more secure. After all, this is one less password you need to remember among the hundreds, if not thousands, of passwords you keep for your numerous accounts.

Microsoft wants to kill passwords

The company has updated the user experience for its login pages by detecting the best authentication method from the start instead of offering all the possible options.

“For example, if you have a password and “one-time code” set up on your account, we’ll prompt you to sign in with your one-time code instead of your password. After you’re signed in, you’ll be prompted to enroll a passkey. Then the next time you sign in, you’ll be prompted to sign in with your passkey,” said Microsoft Identity & Network Access President Joy Chik and Microsoft Security Corporate VP Vasu Jakkal. “This simplified experience gets you signed in faster and, in our experiments, has reduced password use by over 20%. As more people enroll passkeys, the number of password authentications will continue to decline until we can eventually remove password support altogether.”

Passwordless accounts will make it harder for bad actors to illicitly access accounts, as they can no longer steal credentials through phishing, keylogging, SIM swapping, and more. And even if you lose your passkey device, you’re still protected, as anyone who wants to access your data must use your biometrics to open it. Someone determined and with unlimited resources might still be able to circumvent passkey protection, but for the average person, this should be more than enough to increase their data security.

Follow Tom's Hardware on Google News to get our up-to-date news, analysis, and reviews in your feeds. Make sure to click the Follow button.

Jowi Morales
Jowi Morales
Contributing Writer

Jowi Morales is a tech enthusiast with years of experience working in the industry. He’s been writing with several tech publications since 2021, where he’s been interested in tech hardware and consumer electronics.

25 Comments Comment from the forums
  • TheSecondPower
    Passkeys look to me like a form of vendor lock-in.
    Reply
  • 2Be_or_Not2Be
    TheSecondPower said:
    Passkeys look to me like a form of vendor lock-in.
    Technically, it's vendor-neutral, but it does require support by the local OS (which almost all do now).

    It's basically creating a secure key pair between your "login" identity and a local device that you own. It helps knock out phishing-scams, keylogging, and the like because you need the physical device as part of the authentication. It's actually faster and more secure than straight passwords.
    Reply
  • Grobe
    Will this cause creation of a new hotmail account harder, for those that don't use Windows as OS ?
    Reply
  • hotaru251
    2Be_or_Not2Be said:
    It's actually faster and more secure than straight passwords.
    its the 1 feature I use in desktop win10.

    Much faster to use my pin for log in than my much longer password
    Reply
  • punkncat
    Will this mean they are also going to do away with the ability to use a local user/password method?

    I prefer working within my local network using username/pass for ease of access between PC shares as well as RDC. About the time you change things to "let Windows decide" on your shares then connection issues abound.
    Reply
  • TheSecondPower
    2Be_or_Not2Be said:
    Technically, it's vendor-neutral, but it does require support by the local OS (which almost all do now).

    It's basically creating a secure key pair between your "login" identity and a local device that you own. It helps knock out phishing-scams, keylogging, and the like because you need the physical device as part of the authentication. It's actually faster and more secure than straight passwords.
    So if I use the Windows passkey system to log into 15 different websites, and I want to log into those same websites on Linux, Android, iOS, and MacOS, can I do that?
    Reply
  • Misgar
    punkncat said:
    I prefer working within my local network using username/pass for ease of access between PC shares as well as RDC.
    Same here. When I'm installing Windows in remote locations with no broadband or 4G/5G internet access, this might make things difficult. I'm discounting satellite internet because the end users may not be able to afford this option. Some folk don't need extra bells and whistkes or Copilot. Maybe Linux would be a better choice?
    Reply
  • dwd999
    If you want to see why this is a good idea, log into your Microsoft account, select Account, Security, and See Your Sign-In Activity. When I look at mine I see unsuccessful attempted sign-ins from all over the world, as many as a dozen a day. I'm smart enough that I don't have any financial information listed under Payment Methods so they can't buy anything. But for someone who would enter payment information its a real hazard.
    Reply
  • USAFRet
    dwd999 said:
    If you want to see why this is a good idea, log into your Microsoft account, select Account, Security, and See Your Sign-In Activity. When I look at mine I see unsuccessful attempted sign-ins from all over the world, as many as a dozen a day. I'm smart enough that I don't have any financial information listed under Payment Methods so they can't buy anything. But for someone who would enter payment information its a real hazard.
    Indeed.
    This is recent activity on my MS acct:
    https://i.imgur.com/VSSPMUj.png
    Reply
  • Alvar "Miles" Udell
    Is quite convenient, I've used a PIN for ages with Windows Hello and Microsoft Authenticator for when account access is required. While it is far more secure than a password, it's not exactly friendly to people who don't keep a phone near them, refuse to use an app authenticator, or don't have service.

    Ideally people would use a FIDO key (I don't), but pin and app are good enough.
    Reply