"Ten years ago, Microsoft had a bold idea. Instead of signing in using clumsy and insecure passwords, what if you could simply smile?" Never mind that certain limitations of Microsoft's cloud services (I'm looking at you, file sharing and collaboration) might make you weep rather than beam, because gurning logins are apparently Microsoft's aim for all its services. With that in mind, the company has announced that from here on in, new Microsoft accounts will be passwordless by default (via Bleeping Computer). In fact, you won't even have to create a password at all.
If that superficially sounds like a security nightmare, Microsoft obviously isn't just leaving all new accounts completely exposed. Instead, "new users will have several passwordless options for signing into their account."
What options, exactly? "Instead of showing you all the possible ways for you to sign in, we automatically detect the best available method on your account and set that as the default," Microsoft says.
Options include Windows Hello Facial recognition, fingerprint scanning and PINs or personal identification numbers, which are together known as passkeys as opposed to passwords. PINs, of course, are really just a subset of the broader notion of passwords, so there's an element of semantics to all this.
Despite that, Microsoft is touting the move as bringing its account logins a step closer to the ultimate ideal of completely ditching passwords. "As more people enroll passkeys, the number of password authentications will continue to decline until we can eventually remove password support altogether," the announcement says.
Anyway, the driving force behind all this is the inherent insecurity of passwords. Once a password has been compromised, and if that's the sole point of security, anyone, anywhere, can access an account by the simple means of typing in a password.
As Microsoft says, "bad actors know that the password age is ending, and that the number of easily compromised accounts is shrinking. In response, these bad actors are devoting considerable resources to automating brute force and phishing attacks against any account still protected by a password.
Last year, we observed a staggering 7,000 password attacks per second (more than double the rate from 2023). As passkeys become the new standard, expect increased pressure from cyberattackers on any accounts still protected by passwords or other phishable sign-in methods."
While facial recognition, fingerprints and other biometric methods are not totally foolproof, they are fundamentally more secure. What's more, passkey-based methods aren't just safer, they're easier and faster to use.
"Users signing in with passkeys are three times more successful at getting into their account than password users (about 98% versus 32%). When you use a passkey, you get into your account much quicker, too! Passkey sign-ins are eight times faster than a password and multifactor authentication," Microsoft claims, and we've no real reason to doubt it.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
