In a significant shift for online security, Microsoft has announced a groundbreaking update that will impact over 1 billion end users. The tech giant is making strides towards a passwordless future, emphasizing that traditional passwords are increasingly vulnerable to attacks. Microsoft warns that passwords “could be easily forgotten or guessed by an attacker,” making it imperative to “completely remove the password from your account.”
In a statement from December, Microsoft declared, “The password era is ending.” The company highlighted the alarming rise in password-related attacks, noting that “bad actors know it, which is why they’re desperately accelerating password-related attacks while they still can.” Currently, Microsoft is blocking an astonishing “7,000 attacks on passwords per second,” a figure that has nearly doubled from the previous year. This has led to a mission to “convince a billion users to love passkeys.”
As part of this transition, Microsoft is rolling out a new sign-in and sign-up user experience for web and mobile applications. By the end of April, most Microsoft account users will encounter these updated processes. This development allows Microsoft to rethink the default sign-in experiences, placing greater emphasis on usability and security. The new user experience is specifically designed for a passwordless and passkey-first approach.
When users sign up for a new account, they will only need to enter their email address. There will be no requirement to create a new Microsoft password. Instead, users can verify their email with a one-time code, which will serve as the default credential for their new account, effectively starting them off passwordless. Once signed in, users will subsequently create their passkey.
Microsoft is also enhancing the sign-in logic for accounts, ensuring that a passkey is the default sign-in option whenever possible. This is because passkeys are not only more secure but also three times faster than traditional passwords. However, Microsoft is keen to point out that simply adding passkeys is not sufficient if passwords are still in play. If users possess both a passkey and a password that grant access to the same account, the account remains vulnerable to phishing attacks.
To mitigate risks, Microsoft’s goal is to eliminate passwords entirely, transitioning towards accounts that only support phishing-resistant credentials. “Millions of users have deleted their passwords,” the company stated, underscoring the importance of this shift amid the rise of AI-driven attacks and frequent compromises of two-factor authentication.
Microsoft's clear and straightforward messaging has been commendable. The adoption of passkeys is gathering momentum, with recent reports indicating that “phishing-resistant authentication, led by FIDO passkeys, is projected to become the most widely deployed authentication method within two years.” However, more work lies ahead. There is a pressing need for similar clarity from other major platform providers to ensure a widespread transition away from passwords.
Unlike Microsoft, Google has indicated that passwords will remain as a backup credential for account access. However, this approach leaves potential vulnerabilities, as highlighted by Microsoft’s warnings. This year should mark a turning point, featuring consistent guidance on the use of passkeys and the complete eradication of passwords and basic two-factor authentication methods.