Microsoft Account Goes Passwordless

Anyone with a Microsoft account can now remove their password from the account entirely to enable better security.

“For the past couple of years we’ve been saying that the future is passwordless, and today I am excited to announce the next step in that vision,” Microsoft corporate vice president Vasu Jakkal writes in the announcement post. “Beginning today, you can now completely remove the password from your Microsoft account.”

Windows Intelligence In Your Inbox

Sign up for our new free newsletter to get three time-saving tips each Friday — and get free copies of Paul Thurrott's Windows 11 and Windows 10 Field Guides (normally $9.99) as a special welcome gift!

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

As for the “why” of this change, Microsoft points to the fact that passwords are insecure and are the focus of over 18 billion attacks every year, or 579 attacks every second.

Before you can go passwordless, you’ll need the Microsoft Authenticator app on your smartphone. Then, you can use Windows Hello, a security key, or a verification code that’s sent to an email address, your phone, or a compatible app or service like Outlook, OneDrive, Microsoft Family Safety, and more to sign-in, depending on the location.

To get started, you will need to sign-in to your Microsoft account on the web and enable the option “Passwordless account.” Then, just follow the on-screen prompts and approve the change from your Microsoft Authenticator app. (You can always re-add a password to the account later if you prefer.)

This capability is now available on consumer-oriented Microsoft accounts. Microsoft previously made passwordless sign-in a feature of its commercial Microsoft 365 accounts as well. You can learn more about going passwordless from the Microsoft website.

Tagged with

Share post

Please check our Community Guidelines before commenting

Conversation 26 comments

  • dsamuilov

    Premium Member
    15 September, 2021 - 9:35 am

    <p><span style="color: rgb(0, 0, 0);">This is great news!</span></p><p><span style="color: rgb(0, 0, 0);">I think passwordless is also a great way to get the kids and wife to start using a more secure way to access everything we share.</span></p><p><span style="color: rgb(0, 0, 0);">Before we start… </span>Does this work with Xbox and other services? I use my account in all kinds of services from MS. I am using MFA and leaning towards going passwordless, but I would like confirmation that all MS services support these settings before I do. </p>

    • Paul Thurrott

      Premium Member
      15 September, 2021 - 11:56 am

      <p>Yeah, I assume so (Xbox One and newer). All of my sign-ins are enter password and then approve with Authenticator, no password required. </p>

      • dsamuilov

        Premium Member
        15 September, 2021 - 5:01 pm

        <p>Do you mean enter account and then use the Authenticator app? Otherwise it would be passwordless requiring a password… kind of a backwards implementation! :D</p>

  • JJaret

    Premium Member
    15 September, 2021 - 9:41 am

    <p>Here is a question. I use RDP while at clients to connect to my home office desktop, how would I be able to login to my desktop over RDP if I enable paswordless Microsoft account?</p><p><br></p><p><br></p><p><br></p>

    • bassoprofundo

      Premium Member
      15 September, 2021 - 9:47 am

      <p>Check Paul’s link to the Microsoft info on it. There are a bunch of caveats that I have to think will keep a lot of us from going fully password-less for some time… :(</p><p><br></p><h2><em>Does a passwordless account work with all apps and services?</em></h2><p><em>No. Some older versions of Windows, apps, and services still need a password. Please continue to use a password if you use any of the following:</em></p><ol><li><em>Xbox 360</em></li><li><em>Office 2010 or earlier</em></li><li><em>Office for Mac 2011 or earlier</em></li><li><em>Products and services which use IMAP and POP&nbsp;email services</em></li><li><em>Windows 8.1, Windows 7 or earlier</em></li><li><em>Some Windows features </em><strong><em>including Remote Desktop and Credential Manager</em></strong></li><li><em>Some command line and task scheduler services.</em></li></ol><p><br></p>

      • JJaret

        Premium Member
        15 September, 2021 - 10:27 am

        <p>Thanks</p>

      • timwakeling

        15 September, 2021 - 10:48 am

        <p>I was also about to dive in until I saw the list of exceptions. There are some very large and well used apps and services in that list, which makes me think going passwordless at this stage is likely to backfire for many. I’ve no doubt it’s the future, but more services may need upgrading or time passing before that is a good idea.</p>

      • pachi

        15 September, 2021 - 11:14 am

        <p>As far as I know Outlook desktop doesnt even support two factor yet does it? I recall having to create an app password for it even in the newest version.</p>

        • bluvg

          15 September, 2021 - 11:23 am

          <p>On the Exchange Online side, Outlook uses browser-based auth, so you can use MFA, FIDO2 tokens, etc.</p>

        • IanYates82

          Premium Member
          15 September, 2021 - 5:18 pm

          <p>Your recollection is right, depending on when you set it up. I had to do the same back when I forced 2fa originally, but Outlook 2016+, from memory, has supported 2fa via MS authenicator, and now supports any MS-supported approach. </p>

    • bluvg

      15 September, 2021 - 11:30 am

      <p>RDP is still a huge pain for MFA and surprising gap for Microsoft, who hold the cards in closing the gap. Smart card is probably your best bet there. Some MFA options out there deal with it by adding a credential provider, then removing the password credential provider (optional, but necessary for enforcement). There are some downsides to this, but it’s better than GINA replacement days of yore.</p>

    • Alastair Cooper

      15 September, 2021 - 11:31 am

      <p>I think for that purpose you would use your Windows Hello PIN which is essentially a password specific to that device. As far as I can tell it’s a glorified version of the pre-cloud era Windows password. </p>

    • waethorn

      15 September, 2021 - 12:01 pm

      <p>You should be using a VPN already for that. If you have open RDP to WAN, expect to be hacked if you haven’t already.</p>

      • bluvg

        15 September, 2021 - 12:07 pm

        <p>True, or RD Gateway.</p>

      • fishnet37222

        Premium Member
        15 September, 2021 - 3:24 pm

        <p>I have my Remote Desktop enabled on my PC and I’ve forwarded the ports using my router. I have not noticed any hacking attempts on those ports.</p>

  • bluvg

    15 September, 2021 - 12:06 pm

    <p>This closes an important gap: passwordless auth is great, but less effective if a password remains behind the scenes. I would be curious how this is actually handled, whether the password is truly <em>removed</em> or simply scrambled like when you turn on the require smart card checkbox. </p>

    • rcalafato

      Premium Member
      17 September, 2021 - 3:50 pm

      <p>The password is removed completely.</p>

  • red.radar

    Premium Member
    15 September, 2021 - 12:17 pm

    <p>So Why do you have to use the Authenticator App?</p><p><br></p><p>If you have a Yubi-Key…or access to email address… I don’t see the need to Have to have the authenticator app. </p>

  • cmdrkeene

    15 September, 2021 - 12:20 pm

    <p>Inability to be a Remote Desktop host is the biggest impact to me when using a passwordless account, which I’ve been using for a long while (I didn’t know this wasn’t rolled out widely yet).</p><p><br></p><p>I’m about to jump through all the right hoops so I can use RDP. Basically remove my PIN/unlink from MSA, set a local password, re-link, etc. </p>

  • jdawgnoonan

    15 September, 2021 - 1:42 pm

    <p>It is hard for me to understand how just using the Microsoft Authenticator app (or SMS or emailed codes) is more secure than the computer generated (and very ugly) passwords that I currently use with 2FA through the Authenticator app. </p>

    • MikeCerm

      19 September, 2021 - 1:30 am

      <p>It’s not more secure, and I too would like to know why Microsoft is claiming that it is. Logically, 2FA is more secure, because it means that hackers must brute force guess your password AND hack your 2nd factor order to access to your account. Email and SMS are not very good 2nd factors because they go through 3rd parties and are not really secure, and time-based one-time passwords (TOTP) are not very secure on their own because it’s just 6 numerical digits, but if your 2nd factor is Microsoft Authenticator, and going passwordless just means making your 2nd factor your one-and-only factor, then you certainly have not gained anything.</p><p><br></p><p>I’m guessing that they claim that passwordless is more secure because, instead of merely using time-based one-time passwords (TOTP) like it does when you enable 2FA, they’re doing something behind the scenes that is much stronger than password+TOTP to authenticate the login, like a certificate that is stored in Microsoft Authenticator. With Microsoft accounts, normal two-step verification works with other authenticators, but passwordless requires Microsoft Authenticator, so that’s probably what’s going on. Still, it would be even more secure to require a username and password before sending you over to the app to approve the login. That’s how Google does it. </p>

  • singingwolf

    15 September, 2021 - 4:38 pm

    <p>I have also found if you have share drives in your setup, if you have never logged into the host machine with a password, then you cannot connect to the share drives. It took a few hours of frustration to work that one out.</p>

  • gandalforce

    Premium Member
    15 September, 2021 - 4:56 pm

    <p>Microsoft should of re-worded this message, lol</p>

  • hrlngrv

    Premium Member
    16 September, 2021 - 2:09 am

    <p>Someone has to ask: if one’s phone is dead (battery drained) and one can’t charge it, does that mean one’s locked out of one’s MSFT account until one could charge one’s phone?</p>

    • gelfer

      Premium Member
      16 September, 2021 - 2:37 am

      <p>Depends on your setup: if you have other ways to authenticate (such as ‘send a code via mail to a preconfirgured mailbox’ or ‘call me at a preconfigured telephone nr’ or ‘send code via text to a preconfigured telephone nr’), then you could maybe use one of these other methods.</p><p>If you have setup ONLY authenticator app, there’s maybe little else. I’ve seen the prompt you could use when authenticator is not at your disposal while trying to logon, but haven’t clicked it to check it out. But it would seem it’s a situation that MS has thought of at least…</p>

  • justme

    Premium Member
    16 September, 2021 - 3:02 am

    <p>While I have no doubt passwordless is the future, I am skeptical of this implementation given the list of exceptions. I do wonder if this will cause as much grief as it helps.</p>

Windows Intelligence In Your Inbox

Sign up for our new free newsletter to get three time-saving tips each Friday

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Thurrott © 2024 Thurrott LLC