Microsoft has announced users can now delete all passwords from their accounts and instead login using an authenticator app or other solution.
In March, the technology behemoth made passwordless accounts available to business users of its products.
That system is now available to all Microsoft and Windows users.
According to the company, “nearly all of our employees” are already using the new, more secure system for their corporate accounts.
If passwordless login is enabled, users who re-log in to a Microsoft account will be prompted to use their fingerprint or another secure unlock method on their mobile phone.
- Why passwords don’t work, and what will replace them
- Pets’ names ‘used as passwords by millions’
- Gadget-makers face ban on easy-to-guess passwords
According to Microsoft, this is far more secure than using passwords, which can be guessed or stolen.
“Only you can provide fingerprint authentication or the appropriate response on your mobile at the appropriate time,” it stated.
Windows users, on the other hand, will be able to use quick-login features such as a Pin code.
Some rare exceptions, such as Office 2010, Xbox 360 consoles, and Windows 8.1 or earlier machines, will still require passwords.
And if access to the authenticator app is lost – for example, if the phone on which it is installed is lost or stolen, or if a user forgets to upgrade – backup options such as:
- Windows Hello facial recognition, which requires a compatible laptop or special camera
- a physical security key, which must be used on the device logging in
- Short Message Service (SMS) or email codes
However, SMS and email are two of the most common channels used by cybercriminals to target specific individuals.
Furthermore, Microsoft states that security-conscious users who have two-factor authentication enabled will need access to two different recovery methods.
Prof Alan Woodward of the University of Surrey, who is part of a research team looking into passwordless authentication, described it as “quite a bold step from Microsoft.”
“This isn’t just logging into PCs; it’s also logging into online services,” he explained, including critical ones like cloud storage.
Microsoft laid out its reasons for the new system in a series of blog posts.
“Passwords are incredibly inconvenient to create, remember, and manage across all the accounts in our lives,” wrote security vice president Vasu Jakkal. We are expected to create complex and unique passwords, remember them, and change them on a regular basis – but no one enjoys doing so.”
Instead, people tended to create insecure passwords that technically cleared the bar for using symbols, numbers, or case sensitivity – but used a repeated formula or the same password on multiple websites to remember them.
As a result, hackers were able to guess them or reveal them in a data breach and reuse them.
“Hackers don’t break in, they log in,” the blog post read.
Users are greeted by a box that reads, “A passwordless account reduces the risk of phishing and password attacks.”
When the feature is activated, a confirmation message appears informing users that “you have increased the security of your account and improved your sign-in experience by removing your password.”
Prof Woodward stated that Microsoft’s claims about poor password usage were mostly correct.
“The message about what good password hygiene looks like has been hammered home – but it’s easier said than done,” he said.
Passwords were a decades-old concept, and “perhaps the time has come to look for something different.”
However, there were no currently agreed-upon standards.
“There are a number of different ways this could be done – and it would be really good if everyone moved on, really, and tried to find a way to do this,” Prof Woodward said.