Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Introducing password removal for Microsoft Accounts
Published Sep 15 2021 06:00 AM 125K Views
Microsoft

Common attacks such as phishing, password spray, and credential stuffing rely on one unchanging truth: when it comes to passwords, human behavior is predictable. Armed with this predictability, bad actors still succeed most of time when attempting these types of attacks, even though the tools they’re using are 30 years old.

 

Starting today, we’re excited to announce that anyone using a consumer Microsoft account can go completely passwordless! You can now delete your password from your Microsoft account—or set up a new account with no password—and sign-in using other more secure and convenient authentication methods such as the Microsoft Authenticator app, Windows Hello, or physical security keys.

 

All it takes is three easy steps: Visit Advanced Security Options for your Microsoft account, select Passwordless Account, then follow the on-screen prompts. That’s it! Once you’ve removed your password, you can sign in to your account by approving a notification from the Microsoft Authenticator app.

 

Successful password removal.JPG

 

Passwordless1.JPG

 

In The passwordless future is here post, Vasu Jakkal explains in detail why signing in without a password is faster, easier, and more secure. Best of all, once your password is gone, you can finally forget it for good!

 

Passwords leave enterprises vulnerable

Since attackers only need a single password to breach an account and start infiltrating an organization, it’s alarming that one in 100 people “protect” a critical account with easily guessed passwords. The most common passwords from 2011, such as 123456, abc123, and iloveyou, are still on the list of top 20 (worst) passwords!

 

In the past decade, the industry has championed two-step verification, which can reduce the risk of compromise by 99.9%. Verifying identity with a password plus an additional factor has helped, but hackers are already starting to bypass the second step. As long as passwords are still part of the equation, they’re vulnerable.

 

Bringing passwordless technology to you

A couple of years ago, we shared a four-step approach to ending the era of passwords for organizations:

 

Bringing passwordless technology to you.png

 

Our identity product team has been singularly focused on this goal, collaborating with product teams across Microsoft and with the standards community toward eliminating passwords from the directory. And we’ve made tremendous progress.

 

Join us on October 13th for Your Passwordless Future Starts Now digital event, where Vasu, members of my team, and experts across Microsoft will share insights and best practices for building a passwordless future. It's 90 minutes you won't want to miss!

 

What’s next

We’re continually innovating to bring passwordless options to more customers. In addition to building new and exciting ways to sign in without a password, we’ll soon start the development work necessary to eliminate passwords for Azure AD accounts. Administrators will be able to choose whether passwords are required, allowed, or simply don’t exist for a set of users. Users will be able to choose not to set a password when creating an account or to remove their password from an existing account.

 

As we continue to build a passwordless future, your feedback will be invaluable. Please share your questions and comments at answers.microsoft.com.

 

 

Learn more about Microsoft identity:

24 Comments
Brass Contributor

Is there any way to block Microsoft Accounts from being created on your company domain yet? 
So that you can prevent your employees from accidentally making a "Personal" Microsoft Account on their Company Email address, and making their life confusing a lot of the time when they sign in? 

This can help find existing MSA Accounts on your Company domain, but not prevent new ones - Find Microsoft Accounts on Company Domains
two-buttons-sideways_white-768x288.png

 
Microsoft

@PsychoData When you link a company domain name as managed one to a Azure AD tenant, then users should not be able to create personal MSA using that domain name. 

 

VladimrMach_0-1631717438226.png

 

Brass Contributor

@Vladimír Mach Interesting - that must be fairly new! 

It definitely used to be possible - because I got these screenshots by signing up for like 6 Microsoft Accounts on Company Domains in a lab environment with a work email address before. 


Any idea when that happened or a post explaining the changes or anywhere that you can manage this setting? 

Also - did this blocking do anything for existing Microsoft Accounts on Company domain names? 

Microsoft

@PsychoData Creating new Microsoft Accounts using Azure AD managed domains was disabled back in 2016. (Yay!) The following is a 2018 repost of the original 2016 article.  See the section that states, "Starting today, we're blocking the ability to create a new personal Microsoft account using a work/school email address, when the email domain is configured in Azure AD."
Cleaning up the #AzureAD and Microsoft account overlap - Microsoft Tech Community

Brass Contributor

Interesting, there must be a delay of some sort before it will recognize it as a verified domain. 

I frequently remove and add several of my test domains to demo and test tenants, so maybe it wasn't recognized as a "current work domain" and it let me register my test accounts. 

Thanks! 

Yes they have introduced a new blocker that prevent new home accounts with Domains that are known in Azure.

 

I appreciate the passwordless strategy. Also like that Windows Hello is now also accepted for local UAC. 

 

One thing you should help to improve soon. Please allow hello secure key for passwordless login in workgroups / home accounts. 

 

It works now complementary for OOBE in Windows 10 and 11 but not as a login method as of Windows Hello secure key. 

 

This is only possible for enterprise customers. If people could use their FIDO2 device at home, instead of a password this would bring things to a better Level of acceptance. Yubikey has very good offers 

@Joy_Chik 

 

The security key for hello currently works for home users only for web authentication not for Windows login. 

 

This should be changed soon. 

 

Iron Contributor

Starting today, we’re excited to announce that anyone using a consumer Microsoft account can go completely passwordless! You can now delete your password from your Microsoft account—or set up a new account with no password

Passwordless MSA creation has been available for a long time on iOS and Android. What's exactly new here @Joy_Chik ?Windows maybe? 

 

Copper Contributor

sad

Screenshot 2021-09-16 105539.png

 

Copper Contributor

My Live account is no longer prompting for a password, rather going straight to the Authenticator, WITHOUT making any changes. 

Is this the intended behaviour?

In what way is this 2FA, when it's ONLY the Authenticator?

Recce2070_0-1631774426614.png

 

Copper Contributor

How would this work for (for example) RDP that's reliant on a password?

Copper Contributor

@Recce2070 Only using your Authenticator App is indeed two factor authN.

1. Something you have = your Phone

2. Something your know / or are = PIN to unlock your phone to access the Authenticator App or using biometrics like fingerprint or facial recognition (FaceID)

 

Therefore two factor does not always need to involve a password.

Copper Contributor

Hi,

I just tried this new feature. I noticed that if you remove your password you must enter a secondary email and a mobile phone number. This to two methods, even combined, cannot be considered secure method of authentication. There's no guarantee that the secondary mail is protected with secure password and MFA. Same thing with the SMS (SIM swapping or SS7 attack).

 

With no password cofigured in my account I try lo login. Microsoft will send a code to my secondary mail and a second code (if you use 2FA) via SMS, then you are ask to set a password for your account.

 

Right now is not possibile to login only using strong authentication mechanism (Security Keys, Authenticator or Windows Hello) you must have some sort of "insecure" fallback method (SMS, alternative email or password).

 

 

 

 

Copper Contributor

Hi Joy,

 

I like your work.

I saw this "We’ll soon start the development work necessary to eliminate passwords for Azure AD accounts." Is this coming soon? Maybe October 13 at "Your Passwordless Future Starts Now Digital event".

Will this be available for all versions of Azure AD?

Copper Contributor

@Vladimír Mach No new MSAs, however, there's no good story for the existing MSAs which got created in the past. This leads to customer confusion and loss of data.

 

I recently had a scenario where the customer got locked out of their device due to bitlocker, and didn't realize they needed to check their MSA for the recovery key because they understandably thought they would have only a single "Microsoft" account with a given UPN and checking Azure AD for the recovery key was the only place to look. They ended up reformatting the device, losing data, only to learn after the fact that the recovery key was available in their MSA. This was preventable, if only we had a good option to get customers to rename their MSAs with a UPN in our domain.

 

I understand that Microsoft no longer has the "eviction" option which it provided ~8 years ago for this scenario, due to legal reasons. However, I can imagine other engineering approaches which would be similar but not run afoul of the legal issues. Why not allow an organization to trigger a one-time notice at next sign in which informs owners of MSAs with a UPN in their domain that there are significant risks due to confusion and they should strongly consider renaming their account, along with an easy process to do that? In that solution, the owner of the MSA has a choice, but they are presented with a strong recommendation which is clearly from a trusted source embedded in the sign in process.

 

Brian Arkills
University of Washington

Brass Contributor

@barkills 
had a good option to get customers to rename their MSAs with a UPN in our domain

Yeah, this kind of process is what I was seeing - only with mine it was often customers mistakenly buying multiple extra copies of MS Office because they didn't realize they were already paid for under the "Work" account instead of "Personal".

It isn't something offered from MS's side, but I did this to find the current people with Microsoft Accounts so that I could make tickets for HelpDesk to *cough* assist them in moving to a non-company email address

Find Microsoft Accounts on Company Domains

Copper Contributor

When will Microsoft Authenticator be available in the Microsoft Store?

Copper Contributor

I made my Live account passwordless (no problems there) but now I'm unable to use RDP to remote onto a test machine setup against that same account.

Copper Contributor

It's great to be passwordless however how long before I can use my Microsoft Authenticator to log me into any machines I may have connected to my Microsoft Account given I don't have a 'password' now.

Iron Contributor

work account not available?

Copper Contributor

My test box and home machine are both only setup with MSA login, so no option of Domain/M3656 login.  RDP only works as I've setup a new local account with a password, but I'd rather still RDP using my MSA, as that is where my data/profile is stored.

Copper Contributor

@Joy_Chik Hello Joy, could you please fill us in on the plans regarding the password removal for Azure AD accounts?

@Joy_Chik will be able to use FIDO2 like Yubikey to logon or unlock Windows 11 23H2? 

Copper Contributor

@Karl_Wester-Ebbinghaus  Windows 11 already supports logon to Entra ID joined devices using FIDO2 keys like Yubikey. That has been available for some time and ive deployed Yubikeys and others (Thetis being one recently that look like quite good options for the price) for this in the past,  Of course Windows Hello does also and it is only Microsoft Authenticator Passwordless method that does not support device logon (as requires triggering a push).

 

The main outstanding 'hurdles' for me in regards passwordless for enterprise are 1. no inbuilt method to remove passwords for users as discussed above and 2. no supported way to remove password logon as an option for device logon 

@philrice login to Windows OS is supported for Azure AD /Hybrid Joined devices.

 

If so I would wish it to make this happen for Windows Home/Pro and MSA. 

Version history
Last update:
‎Nov 09 2023 11:10 AM
Updated by: