Microsoft has taken a major step towards its goal of eliminating passwords this week. You can now sign-in to your Microsoft account by using Windows Hello or a hardware security key instead of your username or password.
“We’ve just turned on the ability to securely sign in with your Microsoft account using a standards-based FIDO2 compatible device, no username or password required,” Microsoft vice president Alex Simons explains. “This combination of ease of use, security and broad industry support is going to be transformational.”
Sign up for our new free newsletter to get three time-saving tips each Friday — and get free copies of Paul Thurrott's Windows 11 and Windows 10 Field Guides (normally $9.99) as a special welcome gift!
"*" indicates required fields
He could be right.
You can now configure your Microsoft account on a YubiKey 5 Series hardware security key or similar and use that key to sign-in to Microsoft account-based services like Bing, Skype, Office, OneDrive, Outlook.com, or Xbox Live using the Microsoft Edge browser. (You can also use any Windows Hello-based authentication method your PC supports.)
Configuring this is easy enough, and I was able to do so over the weekend because YubiKey had been kind enough to send me a YubiKey 5 Series hardware security key; Microsoft enabled this functionality on the Microsoft account website last week.
To do so, open Microsoft Edge and navigate to the Microsoft account website. Then, navigate to Security > “more security options.” On the Additional security options page that appears, you’ll see a new section called Windows Hello and security keys. You can configure your MSA for a security key or Windows Hello there.
Once your account is configured to use a key, you can use it for subsequent sign-ins on the web. You’ll see an option to “Sign in with Windows Hello or a security key” at the sign-in prompt. So you can use this instead of manually typing your username and password.
After you select that option, just insert your security key, type the key’s PIN, and authenticate with your finger. You’re in!
Microsoft tells me that it is the first company to support password-less authentication using the FIDO2 WebAuthn and CTAP2 specifications, which are supported by the YubiKey 5 Series hardware security kes. And its Microsoft Edge web browser currently supports the widest array of authenticators compared to other major browsers, Microsoft says.
And sure enough, when I try to sign-in to Microsoft account-based services with Google Chrome, there’s no option to use Windows Hello or my preconfigured security key.
I’ll have more about the YubiKey 5 Series hardware security keys soon.
Polycrastinator
<p>Great. If you're having discussions with Microsoft on this, can you ask when they'll be supporting it for business 365 accounts, too? I guess I need to order myself some series 5 keys now my series 4 is obsolete.</p>
wright_is
Premium Member<blockquote><em><a href="#370156">In reply to Polycrastinator:</a></em></blockquote><p>Good timing for me, I have an original Yubikey Neo, which misses a lot of features and is 2 generations behind. With the new 5 series there is also a new Neo, so I was thinking of upgrading anyway.</p><p>Microsoft 365 / Office 365 support would be great.</p>
AnOldAmigaUser
Premium Member<p>Is this an additional sign-in method, or does it become the only option?</p><p>I ask because I like this idea, but live in a world where keys are prone to being misplaced.</p>
wright_is
Premium Member<blockquote><em><a href="#370159">In reply to AnOldAmigaUser:</a></em></blockquote><p>It is Hello based, so you need a password on the account first. It is an additional method.</p><p>I use a Yubikey Neo with LastPass, USB on Windows and NFC on my phone for unlocking the password vault – although there it is more sensibly set up as 2FA, you need the password and the token to log on.</p>
dcdevito
<p> Does this work for logging into Windows? </p><p>Also, does anyone know of an external webcam that has Windows Hello capability?</p><p>Thanks</p>
jww
Premium Member<blockquote><em><a href="#370198">In reply to dcdevito:</a></em></blockquote><blockquote><em>I use an external LilBit Facial Recognition camera for logging into Windows using Hello which works fine but only for Windows login not for apps such as Enpass..</em></blockquote><p><br></p>
dcdevito
<blockquote><em><a href="#370225">In reply to JWW:</a></em></blockquote><p>Thanks</p>
Caradog
<blockquote><em><a href="#370198">In reply to dcdevito:</a></em></blockquote><p>I'm using a Razor Stargazer for Windows Hello (logging into Windows) it also works with 1Password (and 1Password in Edge) and now hopefully this once it rolls out to the UK.</p>
davidl
<blockquote><a href="#370158"><em>In reply to dcdevito:</em></a><em>I use Logitech Brio. </em>https://www.logitech.com/en-us/product/brio</blockquote><p><br></p>
shmuelie
Premium Member<p>You can also use https://www.microsoft.com/en-us/p/rsa-securid-for-windows-hello/9n17xl3g8bmn to authenticate you without a password, no additional hardware required!</p>
dkirk
<p>Just a heads up, it appears you have to be on 1809 for this to work, tried on my Surface laptop with 1803 and it said my operating system or browser do not support Windows Hello</p>
MikeGalos
<blockquote><em><a href="#370229">In reply to dkirk:</a></em></blockquote><p>Yes. The announcement said: </p><p><br></p><p><em>All you’ll need is a device running Windows 10 Version 1809 or later and the Microsoft Edge browser. (This functionality is not available yet on phones.)</em></p><p></p>
fishnet37222
Premium Member<p>Do you have to use Edge for this, or will it also work on Firefox?</p>
wright_is
Premium Member<blockquote><em><a href="#370230">In reply to fishnet37222:</a></em></blockquote><p>I'm guessing Edge only, at least at the start. Google are the same, using FIDO only works in Chrome, if you use a different browser there is no way to use a Yubikey as your 2FA.</p>
Polycrastinator
<blockquote><em><a href="#370510">In reply to wright_is:</a></em></blockquote><p>Which is a bit frustrating: I'm a Firefox user, and Firefox has supported FIDO2 and U2F for a while, but Google and Microsoft only have it available in their own browsers. This stuff needs to be everywhere if adoption is to be high.</p>
Maktaba
<p>Does this mean, when creating a new account, I don’t need to enter a password? If an account still needs a password, then this has achieved nothing.</p>
Mike Widrick
<blockquote><em><a href="#370231">In reply to Maktaba:</a></em></blockquote><p>No, it means you don't need a memorable password – so it can be more secure. The msot secure systems require the badge to log in, – not like this system, but you could build on this. But if you don't have a badge office at home, what's your backup going to be? They still have passwords as backups and for different systems. No security is perfect.</p>
Angusmatheson
<p>Passwords are terrible, and I am so glad they are going away. How many years has it been since War Games taught us everything stupid we do with passwords – and we still do them? I haven’t tried a key to log in, but facial recognition and fingerprints are great. But the most magical way I have seen is Apple Watch. I don’t have a Mac I can do it with, but you just opened it up and off you went. It was like it wasn’t logged out. It is not nearly as secure, your coworker could log it if you were near I guess. And I bet facial recognition will get better and better. But there is a scary part about facial recognition getting better. Soon every camera in the world will be able to tell who I am and then where I am.</p>
wright_is
Premium Member<blockquote><em><a href="#370232">In reply to Angusmatheson:</a></em></blockquote><p>The problem is, facial recognition and fingerprints are usernames, not password replacements. They currently only provide convinience, without improving security. As soon as somebody "steals" your fingerprint or faceprint you are stuffed, you can't change your fingerprints on all your devices, for example…</p><p>@Polycrastinator – yes, for the normal person, it isn't currently much of an issue, but we are coming to rely on biometrics without thinking it through. To get your fingerprint, you just need a smartphone camera, a laser printer and melt a gummibear… Face recognition is a little harder, but still not difficult.</p>
james_wilson
<blockquote><em><a href="#370551">In reply to wright_is:</a></em></blockquote><p>The thing is – it's not the fingerprint or facial matrix that is the key – both these biometrics are just used to unlock the 'real' token stored on the device in TPM. This means, that if you have a fingerprint matrix for someone, you can't just log in to an account from anywhere – just yet.</p>
wright_is
Premium Member<blockquote><em><a href="#370556">In reply to James_Wilson:</a></em></blockquote><p>But if you steal the phone, chances are you have their fingerprints as well… It is a local attack, but it is a real attack vector.</p>
Mike Widrick
<blockquote><em><a href="#370558">In reply to wright_is:</a></em></blockquote><p>This is the equivalent of a car key, not nuclear codes. People and dogs are still the ultimate in real security.</p><p><br></p><p>While I'm not sold on its value for me personally, Apple's machine learning facial recognition is a real leap forward and a brilliant solution. A device that recognizes you.</p>
james_wilson
<blockquote><em><a href="#370558">In reply to wright_is:</a></em></blockquote><p>Really? So if I steal someone’s phone, I also have their fingerprints? Wow, you’d better call Tim as you’ve just broken iPhone security! </p>
wright_is
Premium Member<blockquote><em><a href="#371036">In reply to James_Wilson:</a></em></blockquote><p>Well, usually you have held the phone in your hand, so your prints will be all over the device… And the finger you use to unlock will probably be the print on the sensor/button.</p>
Polycrastinator
<blockquote><em><a href="#371075">In reply to wright_is:</a></em></blockquote><p>This is where questioning your personal requirement for security comes in. I'm sure my fingerprint can be taken from my phone and used to unlock it. Do I think the petty criminal who might steal my phone is going to go through that hassle? No. If they can't unlock it easily, they'll try to wipe it and resell it.</p><p>But if someone is targeting you? You work in a sensitive position in a corporation or have other reason to think you might be targeted? Absolutely that is a concern and you should configure your devices accordingly.</p>
bart
Premium Member<p>Seems to be rolling out still. Awaiting to see the options on my Dutch account</p>
hrlngrv
Premium Member<p>Looks like a usb dongle. Weren't there unique identifier dongles for parallel ports 20 years ago?</p><p><br></p><p>What happens when people lose or fatally damage the dongles? No account access until a replacement arrives?</p>
Polycrastinator
<blockquote><em><a href="#370291">In reply to hrlngrv:</a></em></blockquote><p>Buy 2. My configuration is to have one with NFC, and a backup, cheap key I can't use with my phone in the fireproof safe in my basement as backup.</p>
Mike Widrick
<blockquote><em><a href="#370291">In reply to hrlngrv:</a></em></blockquote><p>The yubikey is also NFC, though.</p><p><br></p><p>As for backup, see the screen above, there is still user id+password. </p>
Jeffsters
<blockquote><em><a href="#370291">In reply to hrlngrv:</a></em></blockquote><p>People get the tiny Yubi keys that are flush and leave them in. Not kidding! I see it all the time! Security by PR.</p>
igor engelen
<p>Is this why they messed up their Azure MFA service yesterday, for an entire day?</p>
Andrew Jackson
Premium Member<blockquote><em><a href="#370296">In reply to Igor Engelen:</a></em></blockquote><p>I second that question!</p><p>http://www.enowsoftware.com/solutions-engine/azure-ad-outage</p>
Andrew Jackson
Premium Member<p>RE: "<span style="color: rgb(0, 0, 0);">I’ll have more about the YubiKey 5 Series hardware security keys soon.</span>"</p><p><br></p><p>Eagerly awaiting your comments. I'm right on the cusp of starting to use a YubiKey.</p><p><br></p><p>But I'm still not quite convinced if the additional hassle is <em>really</em> worth it, verses using a good Authenticator app and a reasonably secure phone. I currently use both Microsoft Authenticator and and LastPass Authenticator and I like the convenience of being able to Allow/Accept logon notifications from my Apple Watch.</p><p>I accept that, ultimately, a YubiKey may be more secure, but it is also less convenient. And convenience/security is a tricky balance. </p><p><br></p><p>A reasonably secure phone and a Yubikey both fulfill the criteria of 'something physical I have'. Is the benefit of the YubiKey that it is guaranteed 'unhackable' ?</p>
Polycrastinator
<blockquote><em><a href="#370322">In reply to DrewTX:</a></em></blockquote><p>FWIW, I've found it less hassle than typing a 6 digit code that I need to look up. Relies on you having it somewhere quick to retrieve of course, but the authentication is fast and mindless, which is what I want from this stuff. But I've not yet tried the FIDO2 implementation.</p>
Andrew Jackson
Premium Member<blockquote><em><a href="#370325">In reply to Polycrastinator:</a></em></blockquote><p>The Microsoft Authenticator and LastPass Authenticator do not require me to enter 6 digit code, they just prompt me 'Accept' or 'Deny' the request – either via the iOS app or WatchOS app. So, for example, when log into my Outlook.com account, I receive a notification on the Watch, and can (usually*) Approve/Deny via the Watch</p><p>(*The Microsoft Authenticator seems a bit inconsistent here; I always get the notification on the Watch app, but it doesn't always offer the Approve/Deny buttons)</p><p>I don't know how that is all working under the covers 🙂 But essentially the request is being pushed to my phone & watch, and I do not need to enter a 6 digit code to approve.</p><p>So that all makes it very convenient, but I'm not clear if it is also significantly less secure than a Yubikey.</p>
Andrew Jackson
Premium Member<blockquote><em><a href="#370322">In reply to DrewTX:</a></em></blockquote><p>I guess that my general question is:</p><p><br></p><p><strong>Is a good Authenticator app</strong> (which does NOT rely on SMS, and which can handle push authentication requests with a simple Approve/Deny) <strong> 'good enough' for most people ?</strong></p><p><br></p><p>I assume that such services are pushing an encrypted and time-sensitive authentication request to the app on the device, which is and then sending an encrypted response back (from known a device/hardware)</p><p><br></p><p>(somewhat rhetorically) What happens if I lose my Yubikey?</p><p>Do I really need to have 2 or 3 Yubikeys (already registered as alternate devices, $$$)?</p><p>And, on accounts with which I use Yubikey, should I remove all other forms of account recovery?</p><p><br></p><p><span style="background-color: rgb(255, 255, 255);">I think I 'get' that Yubikey is more secure since it is 'pwn proof'.</span></p><p>But it seems like going down a rabbit hole for diminishing returns on the last 0.001% of paranoia.</p><p>Significantly less convenient – and maybe only marginally more secure – than Approving authentication requests via Microsoft/LastPass on my Apple Watch.</p><p><br></p><p>… anyway, I just bought a Yubikey, so sign me up for a one-way ticket to Paranoia Town! :-)</p><p><br></p><p><br></p>
Polycrastinator
<blockquote><em><a href="#370408">In reply to DrewTX:</a></em></blockquote><p>So I'm certainly of the opinion that an authenticator app is good enough for most people. Personally, as I've had to add more and more authentication apps to my phone I felt like I'd rather just have one central device, and so the key appeals to me for that reason alone. It is more secure. How much more secure, in practical terms? ?♂️</p><p>The standard security keys are pretty cheap, and support FIDO2 and U2F. You can't do any of the funky things like use the Yubico Authenticator App to store the 6 digit timed codes on the key with the cheap ones, or have one time passwords like LastPass currently uses, but as a backup key it's fine and it's only $20. I feel like a single Yubikey 5 and a backup security key is the right solution for anyone who wants to use this over an authenticator.</p><p>The next big question is, how long will it take for others to follow suit and provide FIDO2?</p>
wright_is
Premium Member<blockquote><em><a href="#370408">In reply to DrewTX:</a></em></blockquote><blockquote>(somewhat rhetorically) What happens if I lose my Yubikey? Do I really need to have 2 or 3 Yubikeys (already registered as alternate devices, $$$)?</blockquote><blockquote>And, on accounts with which I use Yubikey, should I remove all other forms of account recovery?</blockquote><p>No, but it doesn't hurt and no.</p><p>I only bought one Yubikey and it is still going strong and I haven't managed to lose it, although I have left it at home a couple of times and cursed myself at work, but it wasn't a big issue.</p><p>With LastPass, for example, I generated an OTP (one time password), which I store in my safe. If the key is lost, you can use the OTP to recover the account.</p><p>It is significantly more secure than using an app on the smartphone to log onto another app or website on the same smartphone…</p>
wright_is
Premium Member<blockquote><em><a href="#370322">In reply to DrewTX:</a></em></blockquote><p>I have used the Yubikey Neo for the last few years (5, I think). I use it with LastPass. If my phone gets stolen, they still can't gain access to my vault without the Yubikey (just hold it to the NFC sensor on the back of the phone). I need to enter the password and use the key, real 2FA. The same on the PC, password and the key in the USB slot to unlock.</p><p>Having an authenticator app on the same device you are trying to unlock something (E.g. LastPass) on is just 1.5FA.</p><p>The NFC in the key was also compatible with the entry and alarm system at my previous employer (MiFare protocol), so I could use the key to get in and out of the building as well, no need for an extra card.</p>
tdemerse
<p>For those wondering, the minimum OS and Edge versions are spelled out by Microsoft as follows:</p><p><br></p><p class="ql-indent-1"><em style="color: rgb(0, 0, 0); background-color: transparent;">All you’ll need is a device running Windows 10 Version 1809 or later and the Microsoft Edge browser. (This functionality is not available yet on phones.)</em></p><p class="ql-indent-1"><span class="ql-cursor"></span>https://support.microsoft.com/en-ca/help/4463210/windows-10-sign-in-microsoft-account-windows-hello-security-key</p>
myawen
<p>Shoot. My Yubikey Neo isn't even a year old since I've purchased it, and it's already obsolete. *headdesk*</p>
wright_is
Premium Member<blockquote><em><a href="#370435">In reply to myawen:</a></em></blockquote><p>I've been waiting 3 years for Yubico to update the Neo, it has been a generation behind for at least 2, if not 3 years. It is great that they have no updated it to be comparable to the other Yubikeys.</p>
Mike Widrick
<p>I'm really glad to see this, I just received my yubikey from ars and I was a bit underwhelmed with using it for 2FA, esp since for reliability, I should have more than one. But I like this option, it's like my security at work.</p>
sentxd
<p>Do you need 1809 for this? It tells me my "browser or operating system doesn't support this" but I'm on 1803 and using Edge. Any clue?</p>
sentxd
<blockquote><em><a href="#371396">In reply to sentxd:</a></em></blockquote><p>Ah you do need 1809…</p>