Those of you who use a Microsoft account to sign into Windows, Office, Outlook or other Microsoft apps and services can now fully jettison your password as another step toward a passwordless future. In a blog post published Wednesday, Microsoft announced that the passwordless sign-in option that rolled out to business users in March is now available for individual users with Microsoft accounts.
SEE: Secure your data with two-factor authentication (free PDF) (TechRepublic)
Passwords have long been a necessary evil in the world of security. Use a weak or familiar password for each account and you open yourself up to hacks and data theft. Try to create strong and unique passwords and you’ll be hard-pressed to remember them without the aid of a password manager or other tool.
Relying on passwords as a form of security leads to several problems.
Almost a third of people researched by Microsoft revealed that they stopped using an account or service rather than deal with a lost or forgotten password, according to Vasu Jakkal, Microsoft corporate VP for security, compliance and identity, and author of the blog post.
As a result, too many people use common words or phrases for their passwords, such as names of pets, family names, and important dates such as a birthday. Some 1 in 10 people said they reuse passwords across multiple sites, while 40% admitted to using a formula such as Fall2021, which then becomes Winter2021 and Spring2022 each time they need to change their password.
“Weak passwords are the entry point for the majority of attacks across enterprise and consumer accounts,” Jakkal said. “There are a whopping 579 password attacks every second—that’s 18 billion every year.”
The tech industry has been trying to come up with more secure and convenient options to authenticate your account logins. But the road to a passwordless future has been slow and inconsistent. Microsoft’s latest move is a step in the right direction. The company has long offered two-factor authentication as a way to sign into your account. But until now, you still needed a password associated with your account.
To take advantage of the new passwordless option for your Microsoft account, you first must set up an alternative form of authentication if you haven’t already done so. You can choose from an authenticator app such as Microsoft Authenticator, a Windows Hello option such as fingerprint or facial recognition, a security key or a verification code sent to your phone. Your best bet is to use an authenticator app as that provides both security and convenience as long as your phone or another supported device, such as an Apple Watch, is nearby.
Next, sign into the webpage for your Microsoft account. At your account page, click the heading at the top for Security and select Advanced Security Options. In the section for Additional Security, turn on the option for Passwordless account. Click Next. You’ll receive a notification via the Microsoft authenticator app asking you to approve the password removal. Tap Approve.
If you ever need or want your password to be active again, simply return to the same page and turn off the option for Passwordless account.
“The cyber security vendor community must drive towards creating easy-to-use cyber security experiences that deliver an acceptable level of security to the technologies that the consumers demand,” said Tyler Shields, CMO at cyber asset management firm JupiterOne. “A good example of this is the move to single sign on and passwordless authentication. Users have failed to maintain proper passwords for decades. That will never change, so innovation must build an easy-to-use alternative that provides appropriate security with a much better user experience.”
Editor’s note: This story has been updated with additional comment.