New Microsoft accounts will be “passwordless by default”

Microsoft is making new Microsoft accounts passwordless by default, the company has announced on Thursday, which marked this year’s World Password Day.

“As part of [a recently simplified sign-in user experience], we’re changing the default behavior for new accounts,” Vasu Jakkal, Corporate VP, Microsoft Security, and Joy Chik, President, Identity & Network Access, declared.

“New users will have several passwordless options for signing into their account and they’ll never need to enroll a password. Existing users can visit their account settings to delete their password.”

Passkeys offer faster and more secure authentication

In 2004, Bill Gates famously predicted the death of the password. In the intervening years, Microsoft introduced many changes to make that forecast come true.

21 years later, the company is ready to celebrate the very first “World Passkey Day”, and is not stopping at making Microsoft accounts passwordless by default: it’s also making it simpler – therefore, prefereable – to sign in with safer options.

“Instead of showing you all the possible ways for you to sign in, we automatically detect the best available method on your account and set that as the default,” Jakkal and Chik explained.

“For example, if you have a password and ‘one time code’ set up on your account, we’ll prompt you to sign in with your one time code instead of your password. After you’re signed in, you’ll be prompted to enroll a passkey. Then the next time you sign in, you’ll be prompted to sign in with your passkey.”

Passwordless sign-in (Source: Microsoft)

Passkeys are digital credentials, i.e., private and public cryptographic keys, usually stored on users’ mobile device or computer. They will (it is hoped!) supplant passwords as the preferred authentication method for all kinds of online accounts.

Aside from increased security – phishing becomes much harder to pull off – passwords make the authentication process easier and faster because users don’t have to remember or enter passwords and second authentication factors: they simply sign in to their accounts with their face, fingerprint, or PIN.

“Passkey sign-ins are eight times faster than a password and multifactor authentication,” Microsoft claims. And as more and more users switch to signing into their accounts without passwords, attackers will concentrate more on breaching those accounts that are still protected by passwords or other phishable sign-in methods.

Still sticking to passwords?

Microsoft is hoping to see a continued decline of the number of password authentications and that, in time, it will be able to remove password support altogether.

In the meantime, with passwords still in use, users are advised to use:

• Unique, long and strong passwords for each account
• Password managers to create and store passwords (due to infostealing malware, storing passwords in browsers is not a great option)
• Multi-factor authentication for additional protection. Any MFA method is better than none at all, but getting your authentication codes from an authenticator app is better than getting them via SMS, and using FIDO U2F security (hardware) keys is better than relying on an authenticator app

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!