Microsoft Looks Beyond Password Protection For Accounts

Future is ‘passwordless’ says Microsoft, as it gives users option to delete account passwords and login via authenticator app

Microsoft has taken a major step in an effort to bolster account security, with the news that it is moving away from password protection.

Microsoft pointed out that in March this year it began to allow the passwordless sign in for commercial users.

But now the software giant has announced that over the following weeks, it will allow all users to completely remove the password from their Microsoft account and sign in via another verification solution.

Microsoft’s enthusiasm for passwords has been waning for a while now. Back in 2011 for example, Redmond banned Hotmail users from using easy-to-guess passwords.

Passwordless future

Microsoft announced that it was removing the need for people to use passwords to log into their accounts in a blog post by Vasu Jakkal, corporate VP, security, compliance and identity at Redmond.

Jakkal said that instead of passwords, users can use the Microsoft Authenticator app, Windows Hello, a security key, or a verification code sent to a phone or email to sign in to apps and services, such as Microsoft Outlook, Microsoft OneDrive, Microsoft Family Safety, and more.

“Nobody likes passwords,” wrote Jakkal. “They’re inconvenient. They’re a prime target for attacks. Yet for years they’ve been the most important layer of security for everything in our digital lives – from email to bank accounts, shopping carts to video games.”

“We are expected to create complex and unique passwords, remember them, and change them frequently, but nobody likes doing that either,” wrote Jakkal. “In a recent Microsoft Twitter poll, one in five people reported they would rather accidentally “reply all” – which can be monumentally embarrassing – than reset a password.”

“Beginning today, you can now completely remove the password from your Microsoft account,” Jakkal wrote.

He pointed to a telling comment made by a colleague was that “hackers don’t break in, they log in.”

Just a few clicks

Jakkal explained how it would take just a few quick clicks to go passwordless.

“First, ensure you have the Microsoft Authenticator app installed and linked to your personal Microsoft account,” Jakkal wrote.

“Next, visit your Microsoft account, sign in, and choose Advanced Security Options. Under Additional Security Options, you’ll see Passwordless Account. Select Turn on,” Jakkal added. “Finally, follow the on-screen prompts, and then approve the notification from your Authenticator app. Once you’ve approved, you’re free from your password!”

If the user decides they prefer using a password, they can always add it back to their account.

However Jakkal pointed out that “nearly 100% of our employees” were already using the new, more secure system for their corporate accounts.

This drive to go passwordless does include a few exceptions, and passwords will still be needed for accounts for Office 2010, Xbox 360 consoles, and Windows 8.1 etc.

Multi-factor authentication

But at least one security expert believes the move will make it more difficult for hackers to practice their trade.

“This move from Microsoft is a sign of things to come for online security,” said Mantas Sasnauskas, lead cybersecurity researcher at CyberNews. “The future of personal account logins will undoubtedly be passwordless, as more systems will rely on robust authentication procedures rather than requiring users to remember passwords that are often not strong enough, or too complex to remember.”

“We have known for some time that multi factor authentication is one of the strongest ways to protect an account, as access to multiple devices and biometric data is required for access,” said Sasnauskas. “With this system in place, it becomes much harder for threat actors to compromise an account.

“More companies will be moving towards this, as Apple added features in iOS 15 to prepare for a similar moves towards more secure logins and to drop the use of passwords,” Sasnauskas concluded.