No Passwords Needed for Microsoft Accounts
Microsoft on Wednesday announced that the company is ditching the password when it comes to logging into consumer-facing Microsoft accounts.
Instead, users can leverage their Authenticator app, Windows Hello, a security key or request a texted or e-mailed verification code to access their accounts. This will work to access a user's overall account and popular Microsoft apps and services, including Microsoft OneDrive, Outlook and more. The company said that users can remove their passwords starting Wednesday, with app and service integration rolling out "over the coming weeks."
In a blog post announcing the change, Vasu Jakkal, corporate vice president of Security, Compliance and Identity at Microsoft, said the move was spurred by a universal disdain for password management.
We are expected to create complex and unique passwords, remember them, and change them frequently, but nobody likes doing that either. In a recent Microsoft Twitter poll, one in five people reported they would rather accidentally "reply all"—which can be monumentally embarrassing—than reset a password.
While there are multiple options for logging in, decoupling the password from an account will require the Windows Authenticator app. Once the change is officially rolled out, users will be prompted to approve a notification in their Authenticator app before their password is removed. Or, if a user doesn't have an Authenticator app set up, they will be guided through the setup process before removing the password.
Microsoft confirms that the password won't just be hidden, but completely removed. In an e-mailed response, a Microsoft spokesperson assured there will be no way to retrieve the unused password:
Removing a password means that it is no longer stored in our identity directory and is not usable as an authentication method. Alternative authentication methods (both device-bound such as Windows Hello or cross-device such as the Authenticator App) can continue to be used to sign in passwordlessly.
It's important to note that once password authentication is removed from a Windows account, users will still have the option to revert back to a password for login.
While the company has given users options for replacement, how Microsoft accomplishes this, like the public key-private key structure found in Azure Active Directory to remove passwords, is not clear. Wednesday's move also will mostly not affect enterprise users, as the ability to even create a Microsoft account on a company domain was phased out in 2016.
What this is aimed at is alleviating the growing threat from attacks due to weak passwords. Microsoft said that there is an average of 579 password attacks a second, for a yearly annual number of 18 billion. Removing the human element in account security should drastically bring down compromised account threats.
And Wednesday's move removes the human element with a four-step approach:
- Deploy password replacement offerings.
- Reduce user-visible password surface area.
- Transition to passwordless deployment.
- Eliminate passwords from identity directory.