Microsoft has taken a major step towards its goal of eliminating passwords this week. You can now sign-in to your Microsoft account by using Windows Hello or a hardware security key instead of your username or password.
“We’ve just turned on the ability to securely sign in with your Microsoft account using a standards-based FIDO2 compatible device, no username or password required,” Microsoft vice president Alex Simons explains. “This combination of ease of use, security and broad industry support is going to be transformational.”
He could be right.
You can now configure your Microsoft account on a YubiKey 5 Series hardware security key or similar and use that key to sign-in to Microsoft account-based services like Bing, Skype, Office, OneDrive, Outlook.com, or Xbox Live using the Microsoft Edge browser. (You can also use any Windows Hello-based authentication method your PC supports.)
Configuring this is easy enough, and I was able to do so over the weekend because YubiKey had been kind enough to send me a YubiKey 5 Series hardware security key; Microsoft enabled this functionality on the Microsoft account website last week.
To do so, open Microsoft Edge and navigate to the Microsoft account website. Then, navigate to Security > “more security options.” On the Additional security options page that appears, you’ll see a new section called Windows Hello and security keys. You can configure your MSA for a security key or Windows Hello there.
Once your account is configured to use a key, you can use it for subsequent sign-ins on the web. You’ll see an option to “Sign in with Windows Hello or a security key” at the sign-in prompt. So you can use this instead of manually typing your username and password.
After you select that option, just insert your security key, type the key’s PIN, and authenticate with your finger. You’re in!
Microsoft tells me that it is the first company to support password-less authentication using the FIDO2 WebAuthn and CTAP2 specifications, which are supported by the YubiKey 5 Series hardware security kes. And its Microsoft Edge web browser currently supports the widest array of authenticators compared to other major browsers, Microsoft says.
And sure enough, when I try to sign-in to Microsoft account-based services with Google Chrome, there’s no option to use Windows Hello or my preconfigured security key.
I’ll have more about the YubiKey 5 Series hardware security keys soon.