Though a completely passwordless future is still a ways off, you’ll soon be able to take a big step in that direction by nuking the password on your Microsoft account. The company announced today that the password-free features it already offers to corporate customers will now be available to everyone.
Over the next few weeks, Microsoft will roll out support for a passwordless life in the Microsoft Authenticator app and the biometric-based Hello login service for Windows. You’ll be able to set things up so you use a biometric like a fingerprint or face scan, a hardware authentication token, or a verification code sent to your phone or email as an alternative to a password. Like your old login, the new system will let you—and more than a billion other Microsoft account holders—access services like Office 365 and OneDrive.
“The number of cyberattacks has increased as a result of identity and password theft—as defenders, we really have our work cut out for us in this asymmetric game,” says Vasu Jakkal, Microsoft’s corporate vice president of security, compliance, identity, and management. “Without passwords you get advanced security, and it’s so much easier. It’s just a slam dunk.”
Passwordless schemes use biometrics (something you are) or things like hardware security keys (something you have) to confirm you are who you claim to be; in other words, to authenticate you. In contrast, passwords are “something you know,” which becomes a problem when that information is found or guessed by others. In passwordless schemes, though, even security codes sent to your phone are really “something you have” instead of “something you know,” because they require you to have access to your smartphone during a specific, brief period of time.
This conceptual shift makes passwordless systems more secure in many ways, but people are so accustomed to passwords after using them for decades that it’s sometimes difficult to convince them to try something else. If you’ve invested time setting up a password manager, you may feel like a lot of the aggravation is gone from the whole situation anyway. And passwordless login is so easy that it can feel less secure, simply because there’s less hassle involved in looking into your webcam for a face scan or sticking a YubiKey into a USB port.
Even within Microsoft it took years to design and implement an alternative structure that eliminated passwords entirely instead of simply adding more layers of defense on top of them.
“I remember it was 2017, and we started talking about, what if—instead of improving multifactor authentication—we changed course to just eliminate passwords,” says Microsoft chief information security officer Bret Arsenault. “I was sitting there thinking, is this just wordsmithing that someone from marketing came up with? And then I thought, well, if we really did want to eliminate passwords, what would we do differently? It was like a lightbulb switched on.”
Microsoft says it has more than 200 million passwordless users from its enterprise rollout. And the company isn’t the only tech giant offering alternatives to logging in with a password. It has particular influence, though, given Windows and Office 365’s ubiquity among both corporate customers and individuals.