After years of promising to kill the password, Microsoft is finally delivering.
You'll now be able to completely abolish the password for your personal Microsoft account (school and work accounts won't work) as long as you are running a recent version of Windows 10 or 11 and have at least two other verification factors.
- Every Mac can be hacked by this new flaw, and there's no fix yet
- The best password managers to protect all your accounts
- Plus: How to watch Foundation online for free
These include the Microsoft Authenticator smartphone app, which is required. The others can be a Windows Hello biometric credential (i.e. your face or a fingerprint), a hardware security key, or a one-time passcode sent to you via text message or email.
Passwordless login for your Microsoft account should work with most of the Microsoft universe, including Edge, Office365, OneDrive, Outlook.com, Skype, Teams and Xbox Live.
However, it won't work on older devices and operating systems, including Windows 7, Windows 8.1 or even Windows 10 up to version 1809; Office 2010, or Office 2011 for Mac; Xbox 360; Windows Phone 8; and the Remote Desktop protocol. For some of these, you'll be able to set up Microsoft device-specific app passwords.
Why Microsoft is making this change
"Weak passwords are the entry point for the majority of attacks across enterprise and consumer accounts," wrote Vasu Jakkal, Microsoft's corporate vice-president of security, in a company blog post yesterday (Sept. 15). "There are a whopping 579 password attacks every second — that's 18 billion every year."
More than 17 years after Bill Gates famously predicted the death of the password, Microsoft has given up trying to get people to create and use strong, unique passwords, Jakkal explained.
"Passwords are incredibly inconvenient to create, remember, and manage across all the accounts in our lives," he said. "Nearly a third of people say they completely stop using an account or service rather than dealing with a lost password."
(Tom's Guide disagrees: Strong, unique passwords aren't hard to handle as long as you're using one of the best password managers, some of which are free. We'll take up this issue with Microsoft privately.)
How to set up Microsoft passwordless logins
Microsoft rolled out passwordless logins to its enterprise customers back in March, and now it's available to consumers as well. Here's how to set it up.
2. Log into or create a Microsoft account at https://account.microsoft.com/.
3. Click Security in the top navigation bar on your Microsoft account dashboard page.
4. Click Advanced Security Options on the following page.
5. Click Turn On in the Passwordless Account box halfway down the following page, under the heading Additional Security.
6. Click Next in the dialogue box that pops up.
7. Follow the prompts.
8. Approve the confirmation request sent to the Microsoft Authenticator app on your phone.
Should you get rid of your Microsoft password?
You can already avoid typing your Microsoft password without ditching it altogether. Most Windows 10 PCs let you log in with a device-specific PIN instead of the Microsoft password. If you have the Microsoft Authenticator app, then when you log into your Microsoft account online, you're asked to match verification codes instead of using your password.
We're also not sure what happens if you kill your Microsoft password and then lose access to your Authenticator app if your phone dies or you lose it.
Microsoft's support page for passwordless logins states that "you can still access your Microsoft Account using an alternate recovery method like text message or a backup email address," but the first requires a working phone and the second, easy access to a PC.
Plus, says the support page, "if you have Two Step Verification turned on, you will need to have access to two recovery methods," which might be hard to come by in certain situations.
So we're not about to give up our Microsoft account password. Jakkal is correct that any password is vulnerable to phishing attacks (unless you use a hardware security key for two-factor authentication), but we're not yet totally comfortable going without one.