Common attacks such as phishing, password spray, and credential stuffing rely on one unchanging truth: when it comes to passwords, human behavior is predictable. Armed with this predictability, bad actors still succeed most of time when attempting these types of attacks, even though the tools they’re using are 30 years old.
Starting today, we’re excited to announce that anyone using a consumer Microsoft account can go completely passwordless! You can now delete your password from your Microsoft account—or set up a new account with no password—and sign-in using other more secure and convenient authentication methods such as the Microsoft Authenticator app, Windows Hello, or physical security keys.
All it takes is three easy steps: Visit Advanced Security Options for your Microsoft account, select Passwordless Account, then follow the on-screen prompts. That’s it! Once you’ve removed your password, you can sign in to your account by approving a notification from the Microsoft Authenticator app.
In The passwordless future is here post, Vasu Jakkal explains in detail why signing in without a password is faster, easier, and more secure. Best of all, once your password is gone, you can finally forget it for good!
Passwords leave enterprises vulnerable
Since attackers only need a single password to breach an account and start infiltrating an organization, it’s alarming that one in 100 people “protect” a critical account with easily guessed passwords. The most common passwords from 2011, such as 123456, abc123, and iloveyou, are still on the list of top 20 (worst) passwords!
In the past decade, the industry has championed two-step verification, which can reduce the risk of compromise by 99.9%. Verifying identity with a password plus an additional factor has helped, but hackers are already starting to bypass the second step. As long as passwords are still part of the equation, they’re vulnerable.
Bringing passwordless technology to you
A couple of years ago, we shared a four-step approach to ending the era of passwords for organizations:
Our identity product team has been singularly focused on this goal, collaborating with product teams across Microsoft and with the standards community toward eliminating passwords from the directory. And we’ve made tremendous progress.
Join us on October 13th for Your Passwordless Future Starts Now digital event, where Vasu, members of my team, and experts across Microsoft will share insights and best practices for building a passwordless future. It's 90 minutes you won't want to miss!
We’re continually innovating to bring passwordless options to more customers. In addition to building new and exciting ways to sign in without a password, we’ll soon start the development work necessary to eliminate passwords for Azure AD accounts. Administrators will be able to choose whether passwords are required, allowed, or simply don’t exist for a set of users. Users will be able to choose not to set a password when creating an account or to remove their password from an existing account.
As we continue to build a passwordless future, your feedback will be invaluable. Please share your questions and comments at answers.microsoft.com.