Passwordless (Premium)

Apple, Google, and Microsoft recently announced that they would all support a common passwordless sign-in standard. That’s cute, but of the three, only Microsoft has truly embraced passwordless sign-ins. Apple and Google have a lot more work to do. A lot more.

User authentication is, as Microsoft would say, a hard computer science problem. Platform makers like Apple, Google, and Microsoft need to supply sophisticated and secure means for signing into accounts that are backed by two-factor authentication (2FA) or similar verification techniques. And then users need to adopt those features on all of their devices. We’re only truly secure—or as secure as we can be—when both happen.

For both to happen, of course, the platform makers need to make the authentication process as seamless as possible. But only Microsoft is hitting on all cylinders in offering secure authentication capabilities with its online accounts and making them as frictionless as possible.

Let’s use an example to prove the point.

It is an enduring frustration to me that when I try to sign-in to a smartphone, be it an iPhone or an Android handset, or my iPad, I will sometimes be asked to enter my PIN “for additional security.” A PIN is not additional security, it’s less secure than the biometric sign in that the device is for some reason bypassing arbitrarily, be it after a reboot or randomly at other times. And I will never understand that.

But Microsoft gets this right. When you configure a Windows 10/11 PC to sign in with whatever Windows Hello means—PIN, facial recognition, or fingerprint recognition, in my case—it will never again ask you to use a different method (unless something isn’t working right). This is exactly the way that authentication should work.

Another example.

When I use Google Chrome, it routinely—and I mean, like at least once every week or so—asks me to sign in to my Google account manually using a goddamn password like it’s 1997 again. I have no idea why this is needed so often, or why this thing can’t understand that I’ve securely signed in to Windows and there’s no need for this check. But it is so aggressive about making me manually type in my complex password that this alone is almost grounds for not using it anymore. (And please don’t get me started on the other reasons, which are obvious).

By contrast, Microsoft Edge—and, in my experience, all other major web browsers, Chromium-based or not—do not force this unnecessary requirement on its users. You sign in once, you’re in. You’re accessing the application—which, admittedly, is important, given that it can store passwords, credit card numbers, and other personal data—via a device that is itself secure. You’re doing the right thing and it treats you like an adult.

Another example.

When I sign in to my Google account anywhere—in Chrome, on a Chromebook, on an Android handset, or in some mobile app—I have to enter my Google account email address and then manually type in my complex password. Then, I have to verify this sign-in via some 2FA mechanism on mobile. (This varies between Android and iPhone, and Google offers several options.) It’s tedious and unnecessary for Google to require that I enter my password, but it does.

When I sign in to my Apple account anywhere—on a Mac, an Apple device, on the web, whatever—I have to enter my Apple ID email address and then manually type in my complex password. Then, I have to verify this sign-in by manually typing in a verification code that is delivered to my Apple devices (iPhone or iPad), which is stupid: that 2FA mechanism on the device should let me verify this sign-in there. And what happens if I don’t have an Apple device with me? (I’m honestly not sure.)

When I sign in to my primary Microsoft account anywhere—on a new PC, via the web, on a mobile device, or in some mobile app—all I need to do is type in my Microsoft account email address. Next, I have to verify the sign in via the Microsoft Authenticator app on mobile, with no passwords and no fuss, no muss. Bliss.

This, folks, is the way that authentication should work. And if you’re in the Microsoft ecosystem, it is the way the world works. Or at least can work, assuming you configure things correctly. But with Google and Apple, you have to put up with a lot of nonsense. A lot of nonsense.

There’s more.

On a secondary Microsoft account that I’m using for the Windows 11 Field Guide, I’ve taken yet another step that only Microsoft offers: I completely removed my password from the account. There is no password. And that means that there is one less vector for attack. It’s one less stupid thing to save, update, and replicate in various password managers, which is software that shouldn’t even exist. One less thing to ever have to type in anywhere. (This work is an extension of a feature Microsoft first offered back in 2018.)

So yeah. It’s nice to see Apple, Google, and Microsoft getting together to support this obvious push for a passwordless future. And let’s all stand up and applaud this effort. Bravo. Bravo.

But seriously. Microsoft is already there.