Microsoft has announced that all users can now go ‘passwordless’ — logging in to their accounts using other methods like fingerprints or authenticator apps instead.
The move by the Redmond, Washington-based firm follows an initial rollout of the feature to Microsoft’s business customers back in the March of this year.
According to the firm, nearly all of their employees are already taking advantage themselves of the passwordless login features.
The problem with passwords, they argued, is that they can be guessed or stolen — and, when elaborate enough to be secure are generally hard to remember.
In contrast, they said, only the correct users can provide their fingerprint or respond using the authenticator app on their phone.
It is unclear, however, how safe one’s account would be in the event that the phone containing the authenticator app was hacked, either remotely or after a theft.
MailOnline has approached Microsoft for comment on this issue.
The passwordless feature will not work with some older devices and platforms, however — including Xbox 360 consoles, Office 2010 and Windows 8.1 or earlier.
Scroll down for video
Microsoft has announced that all users can now go ‘passwordless’ — logging in to their accounts using other methods like fingerprints or authenticator apps (pictured) instead
HOW TO GO PASSWORDLESS
Microsoft had the following instructions for users wishing to go passwordless themselves:
- First, ensure you have the Microsoft Authenticator app installed and linked to your personal Microsoft account.
- Next, visit your Microsoft account , sign in, and choose Advanced Security Options.
- Under Additional Security Options, you’ll see Passwordless Account. Select Turn on.
- Follow the on-screen prompts, and then approve the notification from your Authenticator app.
- Once you’ve approved, you’re free from your password!
- If you decide you prefer using a password, you can always add it back to your account.
‘Nobody likes passwords. They’re inconvenient. They’re a prime target for attacks,’ Microsoft’s corporate vice president for Security, Compliance and Identity, Vasu Jakkal, wrote in a blog post.
‘Yet for years they’ve been the most important layer of security for everything in our digital lives— from email to bank accounts, shopping carts to video games.
‘We are expected to create complex and unique passwords, remember them, and change them frequently, but nobody likes doing that either.
‘For the past couple of years, we’ve been saying that the future is passwordless, and today I am excited to announce the next step in that vision.
‘Beginning today, you can now completely remove the password from your Microsoft account,’ Mr Jakkal continued.
‘Use the Microsoft Authenticator app, Windows Hello, a security key, or a verification code sent to your phone or email to sign in to your favourite apps and services, such as Microsoft Outlook, Microsoft OneDrive, Microsoft Family Safety, and more.
‘This feature will be rolled out over the coming weeks,’ he concluded.
According to Microsoft, users who go passwordless and then lose access to their authenticator app can resort to one of a number of backup login options.
These include facial recognition (where available), a physical security key or using SMS or email codes.
The latter, however, are two of the most common pathways by which cyber-criminals target individuals. Furthermore, users employing two-factor authentication will need to have access to two separate recovery methods to take control of their account.
The move by the Redmond, Washington-based firm follows an initial rollout of the feature to Microsoft’s business customers back in the March of this year. Pictured: the Microsoft account settings page that allows users to set up a passwordless account
According to the firm, nearly all of their employees are already taking advantage themselves of the passwordless login features
The move is ‘a bold step from Microsoft’ University of Surrey security expert Alan Woodward — who is investigating passwordless authentication — told BBC News.
‘This isn’t just logging into PCs, it’s logging into online services as well,’ he noted, referencing important online facilities like cloud storage.
However, the researcher noted, Microsoft’s claims about the issues with poor password use are largely true.
‘The message has been pummelled home about what good password hygiene looks like – but it’s easier said than done,’ he said.
‘Maybe the time is now right to start looking for something different,’ he added — noting that one issue comes in how there are no standards for passwordlessness.
‘There are a number of different ways this could be done — and it would be good if everybody moved on, really, and tried to find a way of doing this.’
The problem with passwords, Microsoft have argued, is that they can be guessed or stolen — and, when elaborate enough to be secure are generally hard to remember
‘This move from Microsoft is a sign of things to come for online security,’ said CyberNews’ lead cybersecurity researcher, Mantas Sasnauskas.
‘The future of personal account logins will undoubtedly be passwordless, as more systems will rely on robust authentication procedures rather than requiring users to use passwords that are often not strong enough, or too complex to remember.
‘We have known for some time that multi factor authentication is one of the strongest ways to protect an account, as access to multiple devices and biometric data is required for access.
‘With this system in place, it becomes much harder for threat actors to compromise an account,’ he added.
‘More companies will be moving towards this, as Apple added features in iOS 15 to prepare for a similar moves towards more secure logins and to drop the use of passwords.’
CHOOSING A SECURE PASSWORD
According to internet security provider Norton, ‘the shorter and less complex your password is, the quicker it can be for the program to come up with the correct combination of characters.
The longer and more complex your password is, the less likely the attacker will use the brute force method, because of the lengthy amount of time it will take for the program to figure it out.
‘Instead, they’ll use a method called a dictionary attack, where the program will cycle through a predefined list of common words that are used in passwords.’
Here are some steps to follow when creating a new password:
- Use a combination of numbers, symbols, uppercase and lowercase letters
- Ensure that the password is at least eight characters long
- Use abbreviated phrases for passwords
- Change your passwords regularly
- Log out of websites and devices after you have finished using them
- Choose a commonly used password like ‘123456’, ‘password’, ‘qwerty’ or ‘111111’
- Use a solitary word. Hackers can use dictionary-based systems to crack passwords
- Use a derivative of your name, family member’s name, pet’s name, phone number, address or birthday
- Write your password down, share it or let anyone else use your login details
- Answer ‘yes’ when asked to save your password to a computer browser