Although passwords have been the go-to mechanism for securing computing resources for generations, they have become increasingly impractical--and vulnerable. Microsoft recognizes that passwords are problematic, and in recent years has taken steps to reduce some of the burden associated with using passwords. Here are a couple of passwordless authentication solutions that will enable you to start walking back password use with Microsoft accounts.
Conventional wisdom has long held that passwords need to be long, complex and frequently changed to be secure. However, Microsoft’s current password guidelines are based on the idea that arduous password requirements ultimately lead to using weak passwords, and that users who do use strong passwords will almost certainly end up writing the passwords down somewhere. These guidelines also recognize that passwords have been in use for decades and will continue to be used for some time to come. At the same time, though, Microsoft is actively working to eliminate password use with passwordless authentication solutions.
Microsoft first began its crusade against passwords with the introduction of Windows Hello, a feature built into Windows 10 and Windows 11 that enables users to authenticate using something other than a password. For example, Windows Hello supports biometric authentication in the form of facial or fingerprint recognition. It also allows users to log in using a simple numerical PIN instead of using a password. (In case you are wondering, the reason why Microsoft considers a PIN to be secure is because the PIN is local to the device and is never transmitted across the network. In fact, if you back up Windows 10 and restore the backup to a different computer, the PIN will be invalidated.
You can access Windows Hello by opening Settings and then clicking on Accounts. Next, click on the Sign In tab and then choose the sign in option that you want to configure. You can see the various sign in options in Figure 1.
These are the options that exist for logging into Windows without a password.
More recently, Microsoft has begun offering password-free alternatives for Microsoft accounts. Removing the password from a Microsoft account is a relatively simple process. To do so, you will need to download and install the Microsoft Authenticator app. This app, available on iOS or Android, allows you to log into various types of accounts using two-factor authentication rather than a password.
Once you have installed the app, go to https://account.microsoft.com/security and then sign in using your Microsoft account. Once the login is complete, scroll to the bottom of the page and click Advanced Security Options, which you can see in Figure 2.
Click the Advanced Security option.
At this point, Microsoft will send a confirmation code to your mobile device. Once you have entered the code into the website to prove your identity, you will be taken to the Security page, shown in Figure 3.
The Security page allows you to manage various security settings for your Microsoft account.
If you look at the bottom-right corner of the figure above, you will notice a Passwordless Account option. Click the Turn On link. This will cause the site to display a warning message telling you that you need to install the Microsoft Authenticator app and that you might lose access to older apps, services or devices that do not support password-less authentication. If you want to move forward, click Next and then follow the prompts to approve the notification that was sent to the Microsoft Authenticator app. When you are done, you will see a message stating that your password has been removed. You can restore password-based authentication at a later time if you choose.
As passwords come under increasing scrutiny as a security measure, organizations should evaluate alternative authentication methods. Windows Hello and Microsoft Account are just two options for moving toward a password-less future.