You Can Now Sign-In to Your Microsoft Account Without a Password

Posted on November 20, 2018 by Paul Thurrott in Cloud, Microsoft, Microsoft Consumer Services, Windows 10 with 56 Comments

Microsoft has taken a major step towards its goal of eliminating passwords this week. You can now sign-in to your Microsoft account by using Windows Hello or a hardware security key instead of your username or password.

“We’ve just turned on the ability to securely sign in with your Microsoft account using a standards-based FIDO2 compatible device, no username or password required,” Microsoft vice president Alex Simons explains. “This combination of ease of use, security and broad industry support is going to be transformational.”

He could be right.

You can now configure your Microsoft account on a YubiKey 5 Series hardware security key or similar and use that key to sign-in to Microsoft account-based services like Bing, Skype, Office, OneDrive, Outlook.com, or Xbox Live using the Microsoft Edge browser. (You can also use any Windows Hello-based authentication method your PC supports.)

Configuring this is easy enough, and I was able to do so over the weekend because YubiKey had been kind enough to send me a YubiKey 5 Series hardware security key; Microsoft enabled this functionality on the Microsoft account website last week.

To do so, open Microsoft Edge and navigate to the Microsoft account website. Then, navigate to Security > “more security options.” On the Additional security options page that appears, you’ll see a new section called Windows Hello and security keys. You can configure your MSA for a security key or Windows Hello there.

Once your account is configured to use a key, you can use it for subsequent sign-ins on the web. You’ll see an option to “Sign in with Windows Hello or a security key” at the sign-in prompt. So you can use this instead of manually typing your username and password.

After you select that option, just insert your security key, type the key’s PIN, and authenticate with your finger. You’re in!

Microsoft tells me that it is the first company to support password-less authentication using the FIDO2 WebAuthn and CTAP2 specifications, which are supported by the YubiKey 5 Series hardware security kes. And its Microsoft Edge web browser currently supports the widest array of authenticators compared to other major browsers, Microsoft says.

And sure enough, when I try to sign-in to Microsoft account-based services with Google Chrome, there’s no option to use Windows Hello or my preconfigured security key.

I’ll have more about the YubiKey 5 Series hardware security keys soon.

 

Tagged with ,

Join the discussion!

BECOME A THURROTT MEMBER:

Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate

Register
Comments (68)

68 responses to “You Can Now Sign-In to Your Microsoft Account Without a Password”

  1. Polycrastinator

    Great. If you're having discussions with Microsoft on this, can you ask when they'll be supporting it for business 365 accounts, too? I guess I need to order myself some series 5 keys now my series 4 is obsolete.

  2. bart

    Seems to be rolling out still. Awaiting to see the options on my Dutch account

  3. hrlngrv

    Looks like a usb dongle. Weren't there unique identifier dongles for parallel ports 20 years ago?


    What happens when people lose or fatally damage the dongles? No account access until a replacement arrives?

  4. igor engelen

    Is this why they messed up their Azure MFA service yesterday, for an entire day?

  5. Andrew Jackson

    RE: "I’ll have more about the YubiKey 5 Series hardware security keys soon."


    Eagerly awaiting your comments. I'm right on the cusp of starting to use a YubiKey.


    But I'm still not quite convinced if the additional hassle is really worth it, verses using a good Authenticator app and a reasonably secure phone. I currently use both Microsoft Authenticator and and LastPass Authenticator and I like the convenience of being able to Allow/Accept logon notifications from my Apple Watch.

    I accept that, ultimately, a YubiKey may be more secure, but it is also less convenient. And convenience/security is a tricky balance.


    A reasonably secure phone and a Yubikey both fulfill the criteria of 'something physical I have'. Is the benefit of the YubiKey that it is guaranteed 'unhackable' ?

    • Polycrastinator

      In reply to DrewTX:

      FWIW, I've found it less hassle than typing a 6 digit code that I need to look up. Relies on you having it somewhere quick to retrieve of course, but the authentication is fast and mindless, which is what I want from this stuff. But I've not yet tried the FIDO2 implementation.

      • Andrew Jackson

        In reply to Polycrastinator:

        The Microsoft Authenticator and LastPass Authenticator do not require me to enter 6 digit code, they just prompt me 'Accept' or 'Deny' the request - either via the iOS app or WatchOS app. So, for example, when log into my Outlook.com account, I receive a notification on the Watch, and can (usually*) Approve/Deny via the Watch

        (*The Microsoft Authenticator seems a bit inconsistent here; I always get the notification on the Watch app, but it doesn't always offer the Approve/Deny buttons)

        I don't know how that is all working under the covers :-) But essentially the request is being pushed to my phone & watch, and I do not need to enter a 6 digit code to approve.

        So that all makes it very convenient, but I'm not clear if it is also significantly less secure than a Yubikey.

    • Andrew Jackson

      In reply to DrewTX:

      I guess that my general question is:


      Is a good Authenticator app (which does NOT rely on SMS, and which can handle push authentication requests with a simple Approve/Deny) 'good enough' for most people ?


      I assume that such services are pushing an encrypted and time-sensitive authentication request to the app on the device, which is and then sending an encrypted response back (from known a device/hardware)


      (somewhat rhetorically) What happens if I lose my Yubikey?

      Do I really need to have 2 or 3 Yubikeys (already registered as alternate devices, $$$)?

      And, on accounts with which I use Yubikey, should I remove all other forms of account recovery?


      I think I 'get' that Yubikey is more secure since it is 'pwn proof'.

      But it seems like going down a rabbit hole for diminishing returns on the last 0.001% of paranoia.

      Significantly less convenient - and maybe only marginally more secure - than Approving authentication requests via Microsoft/LastPass on my Apple Watch.


      ... anyway, I just bought a Yubikey, so sign me up for a one-way ticket to Paranoia Town! :-)



      • Polycrastinator

        In reply to DrewTX:

        So I'm certainly of the opinion that an authenticator app is good enough for most people. Personally, as I've had to add more and more authentication apps to my phone I felt like I'd rather just have one central device, and so the key appeals to me for that reason alone. It is more secure. How much more secure, in practical terms? ?‍♂️

        The standard security keys are pretty cheap, and support FIDO2 and U2F. You can't do any of the funky things like use the Yubico Authenticator App to store the 6 digit timed codes on the key with the cheap ones, or have one time passwords like LastPass currently uses, but as a backup key it's fine and it's only $20. I feel like a single Yubikey 5 and a backup security key is the right solution for anyone who wants to use this over an authenticator.

        The next big question is, how long will it take for others to follow suit and provide FIDO2?

      • wright_is

        In reply to DrewTX:
        (somewhat rhetorically) What happens if I lose my Yubikey? Do I really need to have 2 or 3 Yubikeys (already registered as alternate devices, $$$)?
        And, on accounts with which I use Yubikey, should I remove all other forms of account recovery?

        No, but it doesn't hurt and no.

        I only bought one Yubikey and it is still going strong and I haven't managed to lose it, although I have left it at home a couple of times and cursed myself at work, but it wasn't a big issue.

        With LastPass, for example, I generated an OTP (one time password), which I store in my safe. If the key is lost, you can use the OTP to recover the account.

        It is significantly more secure than using an app on the smartphone to log onto another app or website on the same smartphone...

    • wright_is

      In reply to DrewTX:

      I have used the Yubikey Neo for the last few years (5, I think). I use it with LastPass. If my phone gets stolen, they still can't gain access to my vault without the Yubikey (just hold it to the NFC sensor on the back of the phone). I need to enter the password and use the key, real 2FA. The same on the PC, password and the key in the USB slot to unlock.

      Having an authenticator app on the same device you are trying to unlock something (E.g. LastPass) on is just 1.5FA.

      The NFC in the key was also compatible with the entry and alarm system at my previous employer (MiFare protocol), so I could use the key to get in and out of the building as well, no need for an extra card.

  6. tdemerse

    For those wondering, the minimum OS and Edge versions are spelled out by Microsoft as follows:


    All you’ll need is a device running Windows 10 Version 1809 or later and the Microsoft Edge browser. (This functionality is not available yet on phones.)

    https://support.microsoft.com/en-ca/help/4463210/windows-10-sign-in-microsoft-account-windows-hello-security-key

  7. myawen

    Shoot. My Yubikey Neo isn't even a year old since I've purchased it, and it's already obsolete. *headdesk*

  8. Mike Widrick

    I'm really glad to see this, I just received my yubikey from ars and I was a bit underwhelmed with using it for 2FA, esp since for reliability, I should have more than one. But I like this option, it's like my security at work.

  9. sentxd

    Do you need 1809 for this? It tells me my "browser or operating system doesn't support this" but I'm on 1803 and using Edge. Any clue?

  10. dkirk

    Just a heads up, it appears you have to be on 1809 for this to work, tried on my Surface laptop with 1803 and it said my operating system or browser do not support Windows Hello

  11. AnOldAmigaUser

    Is this an additional sign-in method, or does it become the only option?

    I ask because I like this idea, but live in a world where keys are prone to being misplaced.

    • wright_is

      In reply to AnOldAmigaUser:

      It is Hello based, so you need a password on the account first. It is an additional method.

      I use a Yubikey Neo with LastPass, USB on Windows and NFC on my phone for unlocking the password vault - although there it is more sensibly set up as 2FA, you need the password and the token to log on.

  12. dcdevito

    Does this work for logging into Windows?

    Also, does anyone know of an external webcam that has Windows Hello capability?

    Thanks

  13. davidl

    In reply to dcdevito:I use Logitech Brio. https://www.logitech.com/en-us/product/brio


  14. shmuelie

    You can also use https://www.microsoft.com/en-us/p/rsa-securid-for-windows-hello/9n17xl3g8bmn to authenticate you without a password, no additional hardware required!

  15. fishnet37222

    Do you have to use Edge for this, or will it also work on Firefox?

  16. Maktaba

    Does this mean, when creating a new account, I don’t need to enter a password? If an account still needs a password, then this has achieved nothing.

    • Mike Widrick

      In reply to Maktaba:

      No, it means you don't need a memorable password - so it can be more secure. The msot secure systems require the badge to log in, - not like this system, but you could build on this. But if you don't have a badge office at home, what's your backup going to be? They still have passwords as backups and for different systems. No security is perfect.

  17. Angusmatheson

    Passwords are terrible, and I am so glad they are going away. How many years has it been since War Games taught us everything stupid we do with passwords - and we still do them? I haven’t tried a key to log in, but facial recognition and fingerprints are great. But the most magical way I have seen is Apple Watch. I don’t have a Mac I can do it with, but you just opened it up and off you went. It was like it wasn’t logged out. It is not nearly as secure, your coworker could log it if you were near I guess. And I bet facial recognition will get better and better. But there is a scary part about facial recognition getting better. Soon every camera in the world will be able to tell who I am and then where I am.

    • wright_is

      In reply to Angusmatheson:

      The problem is, facial recognition and fingerprints are usernames, not password replacements. They currently only provide convinience, without improving security. As soon as somebody "steals" your fingerprint or faceprint you are stuffed, you can't change your fingerprints on all your devices, for example...

      @Polycrastinator - yes, for the normal person, it isn't currently much of an issue, but we are coming to rely on biometrics without thinking it through. To get your fingerprint, you just need a smartphone camera, a laser printer and melt a gummibear... Face recognition is a little harder, but still not difficult.

      • james_wilson

        In reply to wright_is:

        The thing is - it's not the fingerprint or facial matrix that is the key - both these biometrics are just used to unlock the 'real' token stored on the device in TPM. This means, that if you have a fingerprint matrix for someone, you can't just log in to an account from anywhere - just yet.

        • wright_is

          In reply to James_Wilson:

          But if you steal the phone, chances are you have their fingerprints as well... It is a local attack, but it is a real attack vector.

          • james_wilson

            In reply to wright_is:

            Really? So if I steal someone’s phone, I also have their fingerprints? Wow, you’d better call Tim as you’ve just broken iPhone security!

            • wright_is

              In reply to James_Wilson:

              Well, usually you have held the phone in your hand, so your prints will be all over the device... And the finger you use to unlock will probably be the print on the sensor/button.

              • Polycrastinator

                In reply to wright_is:

                This is where questioning your personal requirement for security comes in. I'm sure my fingerprint can be taken from my phone and used to unlock it. Do I think the petty criminal who might steal my phone is going to go through that hassle? No. If they can't unlock it easily, they'll try to wipe it and resell it.

                But if someone is targeting you? You work in a sensitive position in a corporation or have other reason to think you might be targeted? Absolutely that is a concern and you should configure your devices accordingly.

          • Mike Widrick

            In reply to wright_is:

            This is the equivalent of a car key, not nuclear codes. People and dogs are still the ultimate in real security.


            While I'm not sold on its value for me personally, Apple's machine learning facial recognition is a real leap forward and a brilliant solution. A device that recognizes you.

Leave a Reply