The passwordless future is here for your Microsoft account


  • Staff
I don’t know a single person who enjoys managing passwords. Given how much of my life is spent online and in various apps, keeping track of it all, ensuring they’re unique and regularly updated – it can quickly become overwhelming for me – and I’m a techie!

Which is why I’m so excited about today’s announcement that now you can remove the password from your Microsoft account and sign in using passwordless methods like Windows Hello, the Microsoft Authenticator mobile app or a verification code sent to your phone or email. This feature will help to protect your Microsoft account from identity attacks like phishing while providing even easier access to the best apps and services like Microsoft 365, Microsoft Teams, Outlook, OneDrive, Family Safety, Microsoft Edge and more. It’s so easy to go passwordless, I encourage everyone check out Vasu’s blog post for more details on how to get started today.

We also know that everyone is on their own passwordless journey, and the world isn’t entirely password-less yet. Which is why we’ve built tools that meet you where you are today and help keep your current passwords secure for other sites. In Microsoft Edge, for example, we have a comprehensive password management system with Password Monitor, password generator and the password health dashboard (1).

passwordless.gif


Now you can easily set Microsoft Edge to monitor the passwords you use across the web and alert you if one has been compromised, prompting you to update your password. Password generator helps you automatically create strong passwords when you create new accounts online – no more reusing the same password across sites! And the dashboard gives you one place to view your passwords across sites, letting you know if they’re strong enough and whether they’ve been used on other sites. You can also access your Microsoft Edge passwords on the go from the Microsoft Authenticator app when you sign in with your Microsoft account. And all of this is done with your privacy in mind – the underlying technology helps ensure that neither Microsoft nor any other party can learn your passwords while they’re being monitored in Microsoft Edge. If you’re not already using Microsoft Edge, you can learn more here.

Whether you need help managing your passwords more securely and easily or you’re going passwordless across all of your Microsoft apps and services, we have the tools to help keep you and your family safer across your digital world. We look forward to sharing more with you as we continue on the passwordless journey.

1 Password Monitor, password generator and the password health dashboard are available on the latest version of Microsoft Edge. Must be signed into a Microsoft account.

Nobody likes passwords. They’re inconvenient. They’re a prime target for attacks. Yet for years they’ve been the most important layer of security for everything in our digital lives—from email to bank accounts, shopping carts to video games.

We are expected to create complex and unique passwords, remember them, and change them frequently, but nobody likes doing that either. In a recent Microsoft Twitter poll, one in five people reported they would rather accidentally “reply all”—which can be monumentally embarrassing—than reset a password.
But what alternative do we have?

For the past couple of years, we’ve been saying that the future is passwordless, and today I am excited to announce the next step in that vision. In March 2021, we announced that passwordless sign in was generally available for commercial users, bringing the feature to enterprise organizations around the world.

Beginning today, you can now completely remove the password from your Microsoft account. Use the Microsoft Authenticator app, Windows Hello, a security key, or a verification code sent to your phone or email to sign in to your favorite apps and services, such as Microsoft Outlook, Microsoft OneDrive, Microsoft Family Safety, and more. This feature will be rolled out over the coming weeks.



The problem with passwords

My friend, Bret Arsenault, our Chief Information Security Officer (CISO) here at Microsoft likes to say, “Hackers don’t break in, they log in.” That has stuck with me ever since I first heard him say it because it’s so true.

Weak passwords are the entry point for the majority of attacks across enterprise and consumer accounts. There are a whopping 579 password attacks every second—that’s 18 billion every year.

Why are passwords so vulnerable? There are two big reasons.

Human nature

Except for auto-generated passwords that are nearly impossible to remember, we largely create our own passwords. But, given the vulnerability of passwords, requirements for them have gotten increasingly complex in recent years, including multiple symbols, numbers, case sensitivity, and disallowing previous passwords. Updates are often required on a regular basis, yet to create passwords that are both secure enough and memorable enough is a challenge. Passwords are incredibly inconvenient to create, remember, and manage across all the accounts in our lives.

Picture1.png

Picture2.png


Forgetting a password can be painful too. I was shocked to learn that nearly a third of people say they completely stop using an account or service rather than dealing with a lost password. That’s not only a problem for the person stuck in the password cycle, but also for businesses losing customers.

To solve these problems and create passwords we can remember, we try and make things easier for ourselves. We often rely on known and personal words and phrases. One of our recent surveys found that 15 percent of people use their pets’ names for password inspiration. Other common answers included family names and important dates like birthdays. We also found 1 in 10 people admitted reusing passwords across sites, and 40 percent say they’ve used a formula for their passwords, like Fall2021, which eventually becomes Winter2021 or Spring2022.

Hacker nature

Unfortunately, while such passwords may be easier to remember, they are also easier for a hacker to guess. A quick look at someone’s social media can give any hacker a head start on logging into their personal accounts. Once that password and email combination has been compromised, it’s often sold on the dark web for use in any number of attacks.

Hackers also have a lot of tools and techniques. They can use automated password spraying to try many possibilities quickly. They can use phishing to trick you into putting your credentials into a fake website. These tactics are relatively unsophisticated and have been in play for decades, but they continue to work because passwords continue to be created by humans.

Go passwordless today with a few quick clicks

First, ensure you have the Microsoft Authenticator app installed and linked to your personal Microsoft account.

Next, visit your Microsoft account, sign in, and choose Advanced Security Options. Under Additional Security Options, you’ll see Passwordless Account. Select Turn on.

Picture3.png


Finally, follow the on-screen prompts, and then approve the notification from your Authenticator app. Once you’ve approved, you’re free from your password!

Password-removed.png


If you decide you prefer using a password, you can always add it back to your account. But I hope you’ll give passwordless a try—I don’t think you’ll want to go back.

Learn more about going passwordless

We’ve heard great feedback from our enterprise customers who have been on the passwordless journey with us. In fact, Microsoft itself is a great test case—nearly 100 percent of our employees use passwordless options to log in to their corporate accounts.

You can read more about our passwordless journey in a blog from Joy Chik, Corporate Vice President of Identity, or hear more about the benefits for people using Edge or Microsoft 365 apps from Liat Ben-Zur. To learn more about how Microsoft solutions, such as Microsoft Azure Active Directory and Microsoft Authenticator, are allowing users in organizations to forget their passwords while staying protected, join our digital event Your Passwordless Future Starts Now on October 13, 2021.

Learn more about enabling passwordless sign-in with the Microsoft Authenticator app here.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.


Source:
 

Attachments

  • Microsoft.png
    Microsoft.png
    422 bytes · Views: 1
I always use automatic log on with Netplwiz, works for me but the new password less looks very good.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Alienware M18 R1
    CPU
    13th Gen Core i9 13900HX
    Memory
    32GB DDR5 @4800MHz 2x16GB
    Graphics Card(s)
    Geforce RTX 4090HX 16GB
    Sound Card
    Nvidia HD / Realtek ALC3254
    Monitor(s) Displays
    18" QHD+
    Screen Resolution
    25660 X 1600
    Hard Drives
    C: KIOXIA (Toshiba) 2TB KXG80ZNV2T04 NVMe PCIe M.2 SSD
    D: KIOXIA (Toshiba) 2TB KXG80ZNV2T04 NVMe PCIe M.2 SSD
    Case
    Dark Metallic Moon
    Keyboard
    Alienware M Series per-key AlienFX RGB
    Mouse
    Alienware AW610M
    Browser
    Chrome and Firefox
    Antivirus
    Norton
    Other Info
    Killer E3000 Ethernet Controller
    Killer Killer AX1690 Wi-Fi Network Adaptor Wi-Fi 6E
    Bluetooth 5.2
    Alienware Z01G Graphic Amplifier
  • Operating System
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Alienware Area 51m R2
    CPU
    10th Gen i-9 10900 K
    Memory
    32Gb Dual Channel DDR4 @ 8843MHz
    Graphics card(s)
    Nvidia RTX 2080 Super
    Sound Card
    Nvidia
    Screen Resolution
    1920 x 1080
    Hard Drives
    Hard Drive C: Samsung 2TB SSD PM981a NVMe
    Hard Drive D:Samsung 2TB SSD 970 EVO Plus
    Mouse
    Alienware 610M
    Browser
    Chrome
    Antivirus
    Norton
So MS says that passwords are OK as long as they are safe, thus Edge creates 15 characters long passwords. :lmao:
2FA is already dangerous, imagine loosing access to your authentications = loosing access to your account, forever.

capture_09152021_163010.jpg

By the way passwordless accounts are here for decades, you can register using FB, Google or MS, like on this forum.
But I still trust an offline verification for vital accounts, that includes saving backup codes, make sure you have those.
 

My Computer

System One

  • OS
    Windows 11 Home
    Computer type
    PC/Desktop
    CPU
    AMD Ryzen 5 3600 & No fTPM (07/19)
    Motherboard
    MSI B450 TOMAHAWK 7C02v1E & IFX TPM (07/19)
    Memory
    4x 8GB ADATA XPG GAMMIX D10 DDR4 3200MHz CL16
    Graphics Card(s)
    MSI Radeon RX 580 ARMOR 8G OC @48FPS (08/19)
    Sound Card
    Creative Sound Blaster Z (11/16)
    Monitor(s) Displays
    24" AOC G2460VQ6 (01/19)
    Screen Resolution
    1920×1080@75Hz & FreeSync (DisplayPort)
    Hard Drives
    ADATA XPG GAMMIX S11 Pro SSD 512GB (07/19)
    PSU
    Seasonic M12II-520 80 Plus Bronze (11/16)
    Case
    Lian Li PC-7NB & 3x Noctua NF-S12A FLX@700rpm (11/16)
    Cooling
    CPU Cooler Noctua NH-U12S@700rpm (07/19)
    Keyboard
    HP Wired Desktop 320K + Rabalux 76017 Parker (01/24)
    Mouse
    Logitech M330 Silent Plus (04/23)
    Internet Speed
    400/40 Mbps via RouterOS (05/21) & TCP Optimizer
    Browser
    Edge (No FB/Google) & Brave for YouTube & LibreWolf for FB
    Antivirus
    NoAV & Binisoft WFC & NextDNS
    Other Info
    Headphones: Sennheiser RS170 (09/10)
    Phone: Samsung Galaxy Xcover 7 (02/24)
It is a non starter for me as I use IMAP for Thunderbird on my PC, and this requires a password.Not sure about Outlook on my iPhone, but I suspect the same issue. Bitwarden with separate 2FA are fine for those account that accept 2FA. My bank, like many other, are still lagging behind and use a secret question.
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    Laptop
    Manufacturer/Model
    HP / Spectre x360 Convertible 13
    CPU
    i5-8250U
    Motherboard
    83B9 56.50
    Memory
    8GB
    Graphics Card(s)
    Intel(R) UHD Graphics 620
    Sound Card
    Realtek High Definition Audio(SST)
    Screen Resolution
    1920 x 1080
    Hard Drives
    Toshiba 256GB SSD
    Internet Speed
    500Mbps
    Browser
    Firefox, Edge
    Antivirus
    Windows Defender
Hi,
Passwordless yeah swap that for a cell phone number much easier to track you all the time lol

Then wait for it, pass code which was created after talking you out of using that pesky password you haven't forgotten but ms thinks you will someday
But wait don't forget any of them because now you also have several questions/ answers to remember to lol

Just jumping jellybeans features.
 

My Computer

System One

  • OS
    Win-7-10-11Pro's
    Computer type
    PC/Desktop
    Manufacturer/Model
    Acer 17" Nitro 7840sn/ 2x16gb 5600c40/ 4060/ stock 1tb-os/ 4tb sn850x
    CPU
    10900k & 9940x & 5930k
    Motherboard
    z490-Apex & x299-Apex & x99-Sabertooth
    Memory
    Trident-Z Royal 4000c16 2x16gb & Trident-Z 3600c16 4x8gb & 3200c14 4x8gb
    Graphics Card(s)
    Titan Xp & 1080ti FTW3 & evga 980ti gaming
    Sound Card
    Onboard Realtek x3
    Monitor(s) Displays
    1-AOC G2460PG 24"G-Sync 144Hz/ 2nd 1-ASUS VG248QE 24"/ 3rd LG 43" series
    Screen Resolution
    1920-1080 not sure what the t.v is besides 43" class scales from 1920-1080 perfectly
    Hard Drives
    2-WD-sn850x 4tb/ 970evo+500gb/ 980 pro 2tb.
    PSU
    1000p2 & 1200p2 & 850p2
    Case
    D450 x2 & 1 Test bench in cherry Entertainment center
    Cooling
    Custom water loops x3 with 2x mora 360mm rads only 980ti gaming air cooled
    Keyboard
    G710+x3
    Mouse
    Redragon x3
    Internet Speed
    xfinity gigabyte
    Browser
    Firefox
    Antivirus
    mbam pro
I don't like going without passwords for several reasons:
  1. If you create a cipher pattern to your passwords, it's easier to remember, such as [Site-letter-code]-[4-digits]_initials! . The 4 digits are something unique and easy to remember but also not simple (e.g. 1234). For example Eleven-4531_GL! . This is a strong enough password for most purposes. For financial or major shopping site, increase the complexity.
  2. You can have a 2-step authentication, using an app on your phone. Why not just have the authenticator? Simple. What if someone steals your phone and manages to break through the phone authentication? Your security is totally breached.
  3. Not everything has to be 2-step. And what if you need to use a different computer where your passwords aren't stored? I don't like the idea of logging in with Google in Chrome and "inheriting" the coded passwords to be used in that session. No guarantee that they'll be cleared out when you close and then a program might have the chance to reverse engineer those codes to discover passwords.
 

My Computers

System One System Two

  • OS
    Windows 11 v. 22H2, Build 22621.2283
    Computer type
    Laptop
    Manufacturer/Model
    HP ZBook Firefly 15 G7
    CPU
    i7-10610U
    Memory
    32Gb
    Graphics Card(s)
    Intel UHD 1GB
    Monitor(s) Displays
    0
    Screen Resolution
    3840x2160
    Hard Drives
    Samsung SSD 1TB
    Mouse
    Logitech MX Master Mouse
  • Operating System
    Windows 10 v. 22H2, Build 19045.3448
    Computer type
    Laptop
    Manufacturer/Model
    HP / Pavilion 15-ab010nr
    CPU
    AMD A10-8700P, 10 Core 4C+6G, 1800Mhz, 2 cores, 4 logical processors
    Memory
    16GB
    Graphics card(s)
    AMD Radeon R6 Graphics, 512MB RAM
    Screen Resolution
    1366x768
    Hard Drives
    Samsung SSD EVO 860 1TB
    Mouse
    Logitech MX Master
    Browser
    Chrome, Opera, Edge
    Antivirus
    Windows Defender
You can have a 2-step authentication, using an app on your phone. Why not just have the authenticator? Simple. What if someone steals your phone and manages to break through the phone authentication? Your security is totally breached.
Well said. 2FA on the same device is technically 1FA only. And whether it is SMS, email or app, it is all on the phone.
Imagine having all your passwords stored in MS account. One mistake and you loose it all. Worse than ransomware.

I use a standalone password manager, where I store most passwords, but not core ones, they are stored offline in a double encrypted file. Email recovery emails should not be interconnected. If someone gets access to one your accounts, he will gain access to all. My recovery email is linked to my government ID. You could also use something like FIDO key and hide under a doormat or a flower pot.
 

My Computer

System One

  • OS
    Windows 11 Home
    Computer type
    PC/Desktop
    CPU
    AMD Ryzen 5 3600 & No fTPM (07/19)
    Motherboard
    MSI B450 TOMAHAWK 7C02v1E & IFX TPM (07/19)
    Memory
    4x 8GB ADATA XPG GAMMIX D10 DDR4 3200MHz CL16
    Graphics Card(s)
    MSI Radeon RX 580 ARMOR 8G OC @48FPS (08/19)
    Sound Card
    Creative Sound Blaster Z (11/16)
    Monitor(s) Displays
    24" AOC G2460VQ6 (01/19)
    Screen Resolution
    1920×1080@75Hz & FreeSync (DisplayPort)
    Hard Drives
    ADATA XPG GAMMIX S11 Pro SSD 512GB (07/19)
    PSU
    Seasonic M12II-520 80 Plus Bronze (11/16)
    Case
    Lian Li PC-7NB & 3x Noctua NF-S12A FLX@700rpm (11/16)
    Cooling
    CPU Cooler Noctua NH-U12S@700rpm (07/19)
    Keyboard
    HP Wired Desktop 320K + Rabalux 76017 Parker (01/24)
    Mouse
    Logitech M330 Silent Plus (04/23)
    Internet Speed
    400/40 Mbps via RouterOS (05/21) & TCP Optimizer
    Browser
    Edge (No FB/Google) & Brave for YouTube & LibreWolf for FB
    Antivirus
    NoAV & Binisoft WFC & NextDNS
    Other Info
    Headphones: Sennheiser RS170 (09/10)
    Phone: Samsung Galaxy Xcover 7 (02/24)
It is a non starter for me as I use IMAP for Thunderbird on my PC, and this requires a password.Not sure about Outlook on my iPhone, but I suspect the same issue. Bitwarden with separate 2FA are fine for those account that accept 2FA. My bank, like many other, are still lagging behind and use a secret question.
Yeah, how would I use Thunderbird (or any third party e-mail client) to access either IMAP or POP3 e-mail if I remove the password from my Hotmail/Outlook/Microsoft accounts? Do I need to keep my cell phone nearby and keep answering Authenticator requests?
 

My Computers

System One System Two

  • OS
    Windows 11 version 21H2 (OS Build 22000.469)
    Computer type
    Laptop
    Manufacturer/Model
    HP Spectre X360 14
    CPU
    i7-1195G7
    Memory
    16GB
    Monitor(s) Displays
    external 24" Dell P2415Q
    Screen Resolution
    3840 x 2160 on external Dell, 3000 x 2000 on laptop screen
    Hard Drives
    1TB SSD with 32GB Optane cache
    Browser
    Vivaldi, Comodo Dragon, Edge
    Antivirus
    Avast (free version)
  • Operating System
    Windows 11 Pro, 21H2 (Build 22000.376)
    Computer type
    Tablet
    Manufacturer/Model
    Surface Pro 6
    CPU
    i7-8650U
    Memory
    16 GB
    Graphics card(s)
    iGPU (Intel® UHD Graphics 620)
    Monitor(s) Displays
    Dell P2415Q
    Screen Resolution
    3840 x 2160 on external Dell, 2736 x 1824 on SP6 screen
    Hard Drives
    512GB PCIe Gen 3 x2 SSD
    Browser
    Vivaldi, Comodo Dragon, Edge
    Antivirus
    Avast (free edition)
I don't like going without passwords for several reasons:
  1. If you create a cipher pattern to your passwords, it's easier to remember, such as [Site-letter-code]-[4-digits]_initials! . The 4 digits are something unique and easy to remember but also not simple (e.g. 1234). For example Eleven-4531_GL! . This is a strong enough password for most purposes. For financial or major shopping site, increase the complexity.
  2. You can have a 2-step authentication, using an app on your phone. Why not just have the authenticator? Simple. What if someone steals your phone and manages to break through the phone authentication? Your security is totally breached.
  3. Not everything has to be 2-step. And what if you need to use a different computer where your passwords aren't stored? I don't like the idea of logging in with Google in Chrome and "inheriting" the coded passwords to be used in that session. No guarantee that they'll be cleared out when you close and then a program might have the chance to reverse engineer those codes to discover passwords.
I use the same system as cytherian with at least 18 characters. The password for this forum is 19 charactors using acronyms, upper case, numbers and characters. Some of my passwords have 26 elements, except for PayPal which only allows 20. I have no trouble remembering them as they follow a format which is intuative to me.
For instance, if you were once in the armed forces, your number will be engraved indelably in your brain and could be the central part of a long password. Funny thing is that I can remember my fathers number that he had in the second world war, and yet I cannot remember the house telephone number.
 

My Computers

System One System Two

  • OS
    W11 pro beta
    Computer type
    PC/Desktop
    Manufacturer/Model
    home built
    CPU
    Athlon 3000G
    Motherboard
    Asrock A320M-HDV r4.0
    Memory
    16Gb Crucial DDR4 2400
    Graphics Card(s)
    onboard cpu
    Sound Card
    onboard
    Monitor(s) Displays
    AOC 27
    Screen Resolution
    2560-1440
    Hard Drives
    WD black SN750 M2 500Gb
    PSU
    500W Seasonic core 80+gold non modular
    Case
    Fractal Design Define R2
    Cooling
    front 2 x 120mm rear 100mm stock psu
    Internet Speed
    135/20
    Browser
    Firefox and edge
    Antivirus
    Windows Security and free Malwarebytes
  • Operating System
    W11 pro 64 beta (from W10 pro system builder pack)
    Computer type
    PC/Desktop
    Manufacturer/Model
    homebuilt
    CPU
    Ryzen 7 5700G
    Motherboard
    MSI B450 tomahawk max II
    Memory
    4 x 8Gb Corsair Vengeance LPX 3000 DDR4
    Graphics card(s)
    onboard cpu
    Sound Card
    motherboard
    Monitor(s) Displays
    LG 21.5" IPS
    Screen Resolution
    1920 x 1080
    Hard Drives
    WD 1Tb Black M2 SN850X on Asus hyper M2 X16 max V2 card
    PSU
    Be Quiet 400 semi modular 80+gold
    Case
    Coolermaster Silencio 650
    Cooling
    140mm front, 120 rear Akasa Vegas Chroma AM
    Internet Speed
    135/20
    Browser
    edge/Firefox
    Antivirus
    WD plus Malwarebytes free
My gripe with passwords, is you never know what level of complexity the site used when you created the password. I use permutations of a basic (intuitive to me) pattern of characters, depending on if uppercase and/or special characters are required, and if there is a minimum/maximum number of characters. However, when I visit a site after a long absence and it prompts me for a password, I no longer remember the rules on use of uppercase/special characters and password length. I've started including uppercase and special characters with a minimum of 8 characters when creating new passwords, but there are plenty of older passwords from the past where I can't remember the parameters.
 

My Computers

System One System Two

  • OS
    Windows 11 version 21H2 (OS Build 22000.469)
    Computer type
    Laptop
    Manufacturer/Model
    HP Spectre X360 14
    CPU
    i7-1195G7
    Memory
    16GB
    Monitor(s) Displays
    external 24" Dell P2415Q
    Screen Resolution
    3840 x 2160 on external Dell, 3000 x 2000 on laptop screen
    Hard Drives
    1TB SSD with 32GB Optane cache
    Browser
    Vivaldi, Comodo Dragon, Edge
    Antivirus
    Avast (free version)
  • Operating System
    Windows 11 Pro, 21H2 (Build 22000.376)
    Computer type
    Tablet
    Manufacturer/Model
    Surface Pro 6
    CPU
    i7-8650U
    Memory
    16 GB
    Graphics card(s)
    iGPU (Intel® UHD Graphics 620)
    Monitor(s) Displays
    Dell P2415Q
    Screen Resolution
    3840 x 2160 on external Dell, 2736 x 1824 on SP6 screen
    Hard Drives
    512GB PCIe Gen 3 x2 SSD
    Browser
    Vivaldi, Comodo Dragon, Edge
    Antivirus
    Avast (free edition)
My primary Windows desktop is at home and I am using a local account. I see no need for a password or any other authentication method :cool:
 

My Computer

System One

  • OS
    Windows 10
    Computer type
    PC/Desktop
    CPU
    i5-10600K
    Motherboard
    Asus Rog Strix Z490-A Gaming
    Memory
    16 GB
    Graphics Card(s)
    GeForce GTX 1650
    Monitor(s) Displays
    Samsung U32J59x 32" 4K
    Screen Resolution
    3840x2160

Latest Support Threads

Back
Top Bottom