The passwordless future is here for your Microsoft account

  • Staff
I don’t know a single person who enjoys managing passwords. Given how much of my life is spent online and in various apps, keeping track of it all, ensuring they’re unique and regularly updated – it can quickly become overwhelming for me – and I’m a techie!

Which is why I’m so excited about today’s announcement that now you can remove the password from your Microsoft account and sign in using passwordless methods like Windows Hello, the Microsoft Authenticator mobile app or a verification code sent to your phone or email. This feature will help to protect your Microsoft account from identity attacks like phishing while providing even easier access to the best apps and services like Microsoft 365, Microsoft Teams, Outlook, OneDrive, Family Safety, Microsoft Edge and more. It’s so easy to go passwordless, I encourage everyone check out Vasu’s blog post for more details on how to get started today.

We also know that everyone is on their own passwordless journey, and the world isn’t entirely password-less yet. Which is why we’ve built tools that meet you where you are today and help keep your current passwords secure for other sites. In Microsoft Edge, for example, we have a comprehensive password management system with Password Monitor, password generator and the password health dashboard (1).

passwordless.gif


Now you can easily set Microsoft Edge to monitor the passwords you use across the web and alert you if one has been compromised, prompting you to update your password. Password generator helps you automatically create strong passwords when you create new accounts online – no more reusing the same password across sites! And the dashboard gives you one place to view your passwords across sites, letting you know if they’re strong enough and whether they’ve been used on other sites. You can also access your Microsoft Edge passwords on the go from the Microsoft Authenticator app when you sign in with your Microsoft account. And all of this is done with your privacy in mind – the underlying technology helps ensure that neither Microsoft nor any other party can learn your passwords while they’re being monitored in Microsoft Edge. If you’re not already using Microsoft Edge, you can learn more here.

Whether you need help managing your passwords more securely and easily or you’re going passwordless across all of your Microsoft apps and services, we have the tools to help keep you and your family safer across your digital world. We look forward to sharing more with you as we continue on the passwordless journey.

1 Password Monitor, password generator and the password health dashboard are available on the latest version of Microsoft Edge. Must be signed into a Microsoft account.

Nobody likes passwords. They’re inconvenient. They’re a prime target for attacks. Yet for years they’ve been the most important layer of security for everything in our digital lives—from email to bank accounts, shopping carts to video games.

We are expected to create complex and unique passwords, remember them, and change them frequently, but nobody likes doing that either. In a recent Microsoft Twitter poll, one in five people reported they would rather accidentally “reply all”—which can be monumentally embarrassing—than reset a password.
But what alternative do we have?

For the past couple of years, we’ve been saying that the future is passwordless, and today I am excited to announce the next step in that vision. In March 2021, we announced that passwordless sign in was generally available for commercial users, bringing the feature to enterprise organizations around the world.

Beginning today, you can now completely remove the password from your Microsoft account. Use the Microsoft Authenticator app, Windows Hello, a security key, or a verification code sent to your phone or email to sign in to your favorite apps and services, such as Microsoft Outlook, Microsoft OneDrive, Microsoft Family Safety, and more. This feature will be rolled out over the coming weeks.



The problem with passwords

My friend, Bret Arsenault, our Chief Information Security Officer (CISO) here at Microsoft likes to say, “Hackers don’t break in, they log in.” That has stuck with me ever since I first heard him say it because it’s so true.

Weak passwords are the entry point for the majority of attacks across enterprise and consumer accounts. There are a whopping 579 password attacks every second—that’s 18 billion every year.

Why are passwords so vulnerable? There are two big reasons.

Human nature

Except for auto-generated passwords that are nearly impossible to remember, we largely create our own passwords. But, given the vulnerability of passwords, requirements for them have gotten increasingly complex in recent years, including multiple symbols, numbers, case sensitivity, and disallowing previous passwords. Updates are often required on a regular basis, yet to create passwords that are both secure enough and memorable enough is a challenge. Passwords are incredibly inconvenient to create, remember, and manage across all the accounts in our lives.

Picture1.png

Picture2.png


Forgetting a password can be painful too. I was shocked to learn that nearly a third of people say they completely stop using an account or service rather than dealing with a lost password. That’s not only a problem for the person stuck in the password cycle, but also for businesses losing customers.

To solve these problems and create passwords we can remember, we try and make things easier for ourselves. We often rely on known and personal words and phrases. One of our recent surveys found that 15 percent of people use their pets’ names for password inspiration. Other common answers included family names and important dates like birthdays. We also found 1 in 10 people admitted reusing passwords across sites, and 40 percent say they’ve used a formula for their passwords, like Fall2021, which eventually becomes Winter2021 or Spring2022.

Hacker nature

Unfortunately, while such passwords may be easier to remember, they are also easier for a hacker to guess. A quick look at someone’s social media can give any hacker a head start on logging into their personal accounts. Once that password and email combination has been compromised, it’s often sold on the dark web for use in any number of attacks.

Hackers also have a lot of tools and techniques. They can use automated password spraying to try many possibilities quickly. They can use phishing to trick you into putting your credentials into a fake website. These tactics are relatively unsophisticated and have been in play for decades, but they continue to work because passwords continue to be created by humans.

Go passwordless today with a few quick clicks

First, ensure you have the Microsoft Authenticator app installed and linked to your personal Microsoft account.

Next, visit your Microsoft account, sign in, and choose Advanced Security Options. Under Additional Security Options, you’ll see Passwordless Account. Select Turn on.

Picture3.png


Finally, follow the on-screen prompts, and then approve the notification from your Authenticator app. Once you’ve approved, you’re free from your password!

Password-removed.png


If you decide you prefer using a password, you can always add it back to your account. But I hope you’ll give passwordless a try—I don’t think you’ll want to go back.

Learn more about going passwordless

We’ve heard great feedback from our enterprise customers who have been on the passwordless journey with us. In fact, Microsoft itself is a great test case—nearly 100 percent of our employees use passwordless options to log in to their corporate accounts.

You can read more about our passwordless journey in a blog from Joy Chik, Corporate Vice President of Identity, or hear more about the benefits for people using Edge or Microsoft 365 apps from Liat Ben-Zur. To learn more about how Microsoft solutions, such as Microsoft Azure Active Directory and Microsoft Authenticator, are allowing users in organizations to forget their passwords while staying protected, join our digital event Your Passwordless Future Starts Now on October 13, 2021.

Learn more about enabling passwordless sign-in with the Microsoft Authenticator app here.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.


Source:
 

Attachments

  • Microsoft.png
    Microsoft.png
    422 bytes · Views: 1

The-Hive

Well-known member
Member
VIP
Local time
9:08 AM
Posts
299
Location
Wiltshire UK
I always use automatic log on with Netplwiz, works for me but the new password less looks very good.
 

My Computers

System One System Two

  • Operating System
    Windows 11
    Computer type
    Laptop
    Manufacturer/Model
    Alienware Area51m R2
    CPU
    10th Gen Core i9 10900K
    Memory
    32GB
    Graphics Card(s)
    Geforce RTX 2080 Super
    Screen Resolution
    1920x1080
    Hard Drives
    Samsung 2TB 970 Evo
    Samsung 2TB P981A
    Mouse
    Alienware AW610M
    Browser
    Chrome and Firefox
    Antivirus
    Norton
  • Operating System
    Windows 11
    Computer type
    Laptop
    Manufacturer/Model
    Dell Inspiron 3501
    CPU
    11th Gen i-7 2.80 gb
    Memory
    16Gb
    Hard Drives
    512Gb SSD
    Browser
    Chrome
    Antivirus
    Norton

TairikuOkami

Well-known member
Member
VIP
Local time
10:08 AM
Posts
153
Location
Trnava, SK
So MS says that passwords are OK as long as they are safe, thus Edge creates 15 characters long passwords. :lmao:
2FA is already dangerous, imagine loosing access to your authentications = loosing access to your account, forever.

capture_09152021_163010.jpg

By the way passwordless accounts are here for decades, you can register using FB, Google or MS, like on this forum.
But I still trust an offline verification for vital accounts, that includes saving backup codes, make sure you have those.
 

My Computer

System One

  • Operating System
    Windows 11 Home
    CPU
    AMD Ryzen 5 3600 (07/19)
    Motherboard
    MSI B450 TOMAHAWK 7C02v1H5 (07/19)
    Memory
    4x 8GB ADATA XPG GAMMIX D10 DDR4 3200MHz CL16
    Graphics Card(s)
    MSI Radeon RX 580 ARMOR 8G OC (08/19)
    Sound Card
    Creative Sound Blaster Z (11/16)
    Monitor(s) Displays
    24" AOC G2460VQ6 (01/19)
    Screen Resolution
    1920×1080@75Hz + FreeSync (DisplayPort)
    Hard Drives
    ADATA XPG GAMMIX S11 Pro SSD 512GB (07/19)
    PSU
    Seasonic M12II-520 80 Plus Bronze (11/16)
    Case
    Lian Li PC-7NB + 3x Noctua NF-S12A FLX@700rpm (11/16)
    Cooling
    CPU Cooler Noctua NH-U12S@700rpm
    Keyboard
    HP Pavilion Wireless Keyboard 600 (05/21)
    Mouse
    HP Wireless Silent 280M Mouse (05/21)
    Internet Speed
    300/30 Mbps via RouterOS (05/21) + TCP Optimizer
    Browser
    Microsoft Edge
    Antivirus
    None
    Other Info
    Headphones: Sennheiser RS170 (09/10) + Software: https://tinyurl.com/7hkjyhsj

Quandary

Active member
Member
Local time
4:08 AM
Posts
82
It is a non starter for me as I use IMAP for Thunderbird on my PC, and this requires a password.Not sure about Outlook on my iPhone, but I suspect the same issue. Bitwarden with separate 2FA are fine for those account that accept 2FA. My bank, like many other, are still lagging behind and use a secret question.
 

My Computer

System One

  • Operating System
    Windows 11
    Computer type
    Laptop
    Manufacturer/Model
    HP / Spectre x360 Convertible 13
    CPU
    i5-8250U
    Motherboard
    83B9 56.50
    Memory
    8GB
    Graphics Card(s)
    Intel(R) UHD Graphics 620
    Sound Card
    Realtek High Definition Audio(SST)
    Screen Resolution
    1920 x 1080
    Hard Drives
    Toshiba 256GB SSD
    Internet Speed
    500Mbps
    Browser
    Firefox, Edge
    Antivirus
    Windows Defender

ThrashZone

Active member
Member
VIP
Local time
3:08 AM
Posts
233
Hi,
Passwordless yeah swap that for a cell phone number much easier to track you all the time lol

Then wait for it, pass code which was created after talking you out of using that pesky password you haven't forgotten but ms thinks you will someday
But wait don't forget any of them because now you also have several questions/ answers to remember to lol

Just jumping jellybeans features.
 

My Computer

System One

  • Operating System
    Win-7 Linux-Mint Cinnamon 20.2
    Computer type
    PC/Desktop
    Manufacturer/Model
    asus
    CPU
    10900k & 9940x & 5930k & q9550
    Motherboard
    z490-Apex & x299-Apex & x99-Sabertooth & Acer WG43M
    Memory
    2x8gb & 4x8gb 3600c16 & 4x8gb 3200c14 & 4x2gb
    Graphics Card(s)
    Titan Xp & 1080ti FTW3 & evga 980ti
    Sound Card
    Onboard Realtek
    Monitor(s) Displays
    1-AOC G2460PG 24"G-Sync 144Hz/ 2nd 1-ASUS VG248QE 24"/ 3rd LG 43" series
    Screen Resolution
    1080-1920 not sure what the t.v is besides 43" class
    Hard Drives
    To many to list
    PSU
    1000p2 & 1200p2 & 850p2 & 750p2
    Case
    D450x2 & Test benchx2
    Cooling
    Custom water loops x3
    Keyboard
    G710+x3
    Mouse
    Redragon x3
    Internet Speed
    giga xfinity
    Browser
    Firefox
    Antivirus
    mbam pro

cytherian

Member
Local time
4:08 AM
Posts
6
I don't like going without passwords for several reasons:
  1. If you create a cipher pattern to your passwords, it's easier to remember, such as [Site-letter-code]-[4-digits]_initials! . The 4 digits are something unique and easy to remember but also not simple (e.g. 1234). For example Eleven-4531_GL! . This is a strong enough password for most purposes. For financial or major shopping site, increase the complexity.
  2. You can have a 2-step authentication, using an app on your phone. Why not just have the authenticator? Simple. What if someone steals your phone and manages to break through the phone authentication? Your security is totally breached.
  3. Not everything has to be 2-step. And what if you need to use a different computer where your passwords aren't stored? I don't like the idea of logging in with Google in Chrome and "inheriting" the coded passwords to be used in that session. No guarantee that they'll be cleared out when you close and then a program might have the chance to reverse engineer those codes to discover passwords.
 

My Computer

System One

  • Operating System
    Windows 10 v. 20H2, Build 19042.1237
    Computer type
    Laptop
    Manufacturer/Model
    HP
    CPU
    AMD A10-8700P, 10 Core 4C
    Memory
    16Gb
    Graphics Card(s)
    AMD Radeon R6 Graphics, 512MB RAM
    Monitor(s) Displays
    0
    Screen Resolution
    1366x768
    Hard Drives
    Samsung SSD 860 EVO 1TB
    Mouse
    Logitech MX Master Mouse

TairikuOkami

Well-known member
Member
VIP
Local time
10:08 AM
Posts
153
Location
Trnava, SK
You can have a 2-step authentication, using an app on your phone. Why not just have the authenticator? Simple. What if someone steals your phone and manages to break through the phone authentication? Your security is totally breached.
Well said. 2FA on the same device is technically 1FA only. And whether it is SMS, email or app, it is all on the phone.
Imagine having all your passwords stored in MS account. One mistake and you loose it all. Worse than ransomware.

I use a standalone password manager, where I store most passwords, but not core ones, they are stored offline in a double encrypted file. Email recovery emails should not be interconnected. If someone gets access to one your accounts, he will gain access to all. My recovery email is linked to my government ID. You could also use something like FIDO key and hide under a doormat or a flower pot.
 

My Computer

System One

  • Operating System
    Windows 11 Home
    CPU
    AMD Ryzen 5 3600 (07/19)
    Motherboard
    MSI B450 TOMAHAWK 7C02v1H5 (07/19)
    Memory
    4x 8GB ADATA XPG GAMMIX D10 DDR4 3200MHz CL16
    Graphics Card(s)
    MSI Radeon RX 580 ARMOR 8G OC (08/19)
    Sound Card
    Creative Sound Blaster Z (11/16)
    Monitor(s) Displays
    24" AOC G2460VQ6 (01/19)
    Screen Resolution
    1920×1080@75Hz + FreeSync (DisplayPort)
    Hard Drives
    ADATA XPG GAMMIX S11 Pro SSD 512GB (07/19)
    PSU
    Seasonic M12II-520 80 Plus Bronze (11/16)
    Case
    Lian Li PC-7NB + 3x Noctua NF-S12A FLX@700rpm (11/16)
    Cooling
    CPU Cooler Noctua NH-U12S@700rpm
    Keyboard
    HP Pavilion Wireless Keyboard 600 (05/21)
    Mouse
    HP Wireless Silent 280M Mouse (05/21)
    Internet Speed
    300/30 Mbps via RouterOS (05/21) + TCP Optimizer
    Browser
    Microsoft Edge
    Antivirus
    None
    Other Info
    Headphones: Sennheiser RS170 (09/10) + Software: https://tinyurl.com/7hkjyhsj

wpcoe

Member
Local time
3:08 AM
Posts
52
Location
Mérida, México
It is a non starter for me as I use IMAP for Thunderbird on my PC, and this requires a password.Not sure about Outlook on my iPhone, but I suspect the same issue. Bitwarden with separate 2FA are fine for those account that accept 2FA. My bank, like many other, are still lagging behind and use a secret question.
Yeah, how would I use Thunderbird (or any third party e-mail client) to access either IMAP or POP3 e-mail if I remove the password from my Hotmail/Outlook/Microsoft accounts? Do I need to keep my cell phone nearby and keep answering Authenticator requests?
 

My Computer

System One

  • Operating System
    Windows11 version 21H2( OS Build 22000.194)
    Computer type
    Tablet
    Manufacturer/Model
    Surface Pro 6
    CPU
    i7 8650U
    Memory
    16GB
    Monitor(s) Displays
    external 24" Dell P2415Q
    Screen Resolution
    3840 x 2160 on external Dell, 2736 x 1824 on SP6 screen
    Hard Drives
    512GB SSD
    Browser
    Vivaldi, Edge
    Antivirus
    Avast

tinmar49

Active member
Local time
9:08 AM
Posts
112
Location
UK
I don't like going without passwords for several reasons:
  1. If you create a cipher pattern to your passwords, it's easier to remember, such as [Site-letter-code]-[4-digits]_initials! . The 4 digits are something unique and easy to remember but also not simple (e.g. 1234). For example Eleven-4531_GL! . This is a strong enough password for most purposes. For financial or major shopping site, increase the complexity.
  2. You can have a 2-step authentication, using an app on your phone. Why not just have the authenticator? Simple. What if someone steals your phone and manages to break through the phone authentication? Your security is totally breached.
  3. Not everything has to be 2-step. And what if you need to use a different computer where your passwords aren't stored? I don't like the idea of logging in with Google in Chrome and "inheriting" the coded passwords to be used in that session. No guarantee that they'll be cleared out when you close and then a program might have the chance to reverse engineer those codes to discover passwords.
I use the same system as cytherian with at least 18 characters. The password for this forum is 19 charactors using acronyms, upper case, numbers and characters. Some of my passwords have 26 elements, except for PayPal which only allows 20. I have no trouble remembering them as they follow a format which is intuative to me.
For instance, if you were once in the armed forces, your number will be engraved indelably in your brain and could be the central part of a long password. Funny thing is that I can remember my fathers number that he had in the second world war, and yet I cannot remember the house telephone number.
 

My Computer

System One

  • Operating System
    W11 pro beta
    Computer type
    PC/Desktop
    CPU
    Athlon 3000G
    Motherboard
    Asrock A320M-HDV r4.0
    Memory
    8Gb Crucial DDR4 2400
    Graphics Card(s)
    onboard cpu
    Sound Card
    onboard
    Monitor(s) Displays
    AOC 27
    Screen Resolution
    2560-1440
    Hard Drives
    WD black SN750 M2 500Gb
    PSU
    400W Novatech semi modular 80+bronze.
    Case
    Fractal Design
    Keyboard
    Front 2 x 120mmmm, rear 100mm, stock psu cooler.
    Internet Speed
    215/21
    Browser
    Firefox and edge
    Antivirus
    Windows Security and free Malwarebytes

wpcoe

Member
Local time
3:08 AM
Posts
52
Location
Mérida, México
My gripe with passwords, is you never know what level of complexity the site used when you created the password. I use permutations of a basic (intuitive to me) pattern of characters, depending on if uppercase and/or special characters are required, and if there is a minimum/maximum number of characters. However, when I visit a site after a long absence and it prompts me for a password, I no longer remember the rules on use of uppercase/special characters and password length. I've started including uppercase and special characters with a minimum of 8 characters when creating new passwords, but there are plenty of older passwords from the past where I can't remember the parameters.
 

My Computer

System One

  • Operating System
    Windows11 version 21H2( OS Build 22000.194)
    Computer type
    Tablet
    Manufacturer/Model
    Surface Pro 6
    CPU
    i7 8650U
    Memory
    16GB
    Monitor(s) Displays
    external 24" Dell P2415Q
    Screen Resolution
    3840 x 2160 on external Dell, 2736 x 1824 on SP6 screen
    Hard Drives
    512GB SSD
    Browser
    Vivaldi, Edge
    Antivirus
    Avast

unifex

Active member
Member
VIP
Local time
10:08 AM
Posts
138
My primary Windows desktop is at home and I am using a local account. I see no need for a password or any other authentication method :cool:
 

My Computer

System One

  • Operating System
    Windows 10
    Computer type
    PC/Desktop
    CPU
    i5-10600K
    Motherboard
    Asus Rog Strix Z490-A Gaming
    Memory
    16 GB
    Graphics Card(s)
    GeForce GTX 1650
    Monitor(s) Displays
    Samsung U32J59x 32" 4K
    Screen Resolution
    3840x2160
Top Bottom