Microsoft Account Goes Passwordless

Posted on September 15, 2021 by Paul Thurrott in Cloud, Microsoft 365, Microsoft Consumer Services with 26 Comments

Anyone with a Microsoft account can now remove their password from the account entirely to enable better security.

“For the past couple of years we’ve been saying that the future is passwordless, and today I am excited to announce the next step in that vision,” Microsoft corporate vice president Vasu Jakkal writes in the announcement post. “Beginning today, you can now completely remove the password from your Microsoft account.”

As for the “why” of this change, Microsoft points to the fact that passwords are insecure and are the focus of over 18 billion attacks every year, or 579 attacks every second.

Before you can go passwordless, you’ll need the Microsoft Authenticator app on your smartphone. Then, you can use Windows Hello, a security key, or a verification code that’s sent to an email address, your phone, or a compatible app or service like Outlook, OneDrive, Microsoft Family Safety, and more to sign-in, depending on the location.

To get started, you will need to sign-in to your Microsoft account on the web and enable the option “Passwordless account.” Then, just follow the on-screen prompts and approve the change from your Microsoft Authenticator app. (You can always re-add a password to the account later if you prefer.)

This capability is now available on consumer-oriented Microsoft accounts. Microsoft previously made passwordless sign-in a feature of its commercial Microsoft 365 accounts as well. You can learn more about going passwordless from the Microsoft website.

Tagged with ,

Join the discussion!


Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate

Comments (26)

26 responses to “Microsoft Account Goes Passwordless”

  1. dsamuilov

    This is great news!

    I think passwordless is also a great way to get the kids and wife to start using a more secure way to access everything we share.

    Before we start... Does this work with Xbox and other services? I use my account in all kinds of services from MS. I am using MFA and leaning towards going passwordless, but I would like confirmation that all MS services support these settings before I do.

  2. hrlngrv

    Someone has to ask: if one's phone is dead (battery drained) and one can't charge it, does that mean one's locked out of one's MSFT account until one could charge one's phone?

    • gelfer

      Depends on your setup: if you have other ways to authenticate (such as 'send a code via mail to a preconfirgured mailbox' or 'call me at a preconfigured telephone nr' or 'send code via text to a preconfigured telephone nr'), then you could maybe use one of these other methods.

      If you have setup ONLY authenticator app, there's maybe little else. I've seen the prompt you could use when authenticator is not at your disposal while trying to logon, but haven't clicked it to check it out. But it would seem it's a situation that MS has thought of at least...

  3. gandalforce

    Microsoft should of re-worded this message, lol

  4. singingwolf

    I have also found if you have share drives in your setup, if you have never logged into the host machine with a password, then you cannot connect to the share drives. It took a few hours of frustration to work that one out.

  5. jdawgnoonan

    It is hard for me to understand how just using the Microsoft Authenticator app (or SMS or emailed codes) is more secure than the computer generated (and very ugly) passwords that I currently use with 2FA through the Authenticator app.

    • MikeCerm

      It's not more secure, and I too would like to know why Microsoft is claiming that it is. Logically, 2FA is more secure, because it means that hackers must brute force guess your password AND hack your 2nd factor order to access to your account. Email and SMS are not very good 2nd factors because they go through 3rd parties and are not really secure, and time-based one-time passwords (TOTP) are not very secure on their own because it's just 6 numerical digits, but if your 2nd factor is Microsoft Authenticator, and going passwordless just means making your 2nd factor your one-and-only factor, then you certainly have not gained anything.

      I'm guessing that they claim that passwordless is more secure because, instead of merely using time-based one-time passwords (TOTP) like it does when you enable 2FA, they're doing something behind the scenes that is much stronger than password+TOTP to authenticate the login, like a certificate that is stored in Microsoft Authenticator. With Microsoft accounts, normal two-step verification works with other authenticators, but passwordless requires Microsoft Authenticator, so that's probably what's going on. Still, it would be even more secure to require a username and password before sending you over to the app to approve the login. That's how Google does it.

  6. cmdrkeene

    Inability to be a Remote Desktop host is the biggest impact to me when using a passwordless account, which I've been using for a long while (I didn't know this wasn't rolled out widely yet).

    I'm about to jump through all the right hoops so I can use RDP. Basically remove my PIN/unlink from MSA, set a local password, re-link, etc.

  7. red.radar

    So Why do you have to use the Authenticator App?

    If you have a Yubi-Key...or access to email address... I don't see the need to Have to have the authenticator app.

  8. bluvg

    This closes an important gap: passwordless auth is great, but less effective if a password remains behind the scenes. I would be curious how this is actually handled, whether the password is truly removed or simply scrambled like when you turn on the require smart card checkbox.

  9. JJaret

    Here is a question. I use RDP while at clients to connect to my home office desktop, how would I be able to login to my desktop over RDP if I enable paswordless Microsoft account?

    • waethorn

      You should be using a VPN already for that. If you have open RDP to WAN, expect to be hacked if you haven’t already.

    • Alastair Cooper

      I think for that purpose you would use your Windows Hello PIN which is essentially a password specific to that device. As far as I can tell it's a glorified version of the pre-cloud era Windows password.

    • bluvg

      RDP is still a huge pain for MFA and surprising gap for Microsoft, who hold the cards in closing the gap. Smart card is probably your best bet there. Some MFA options out there deal with it by adding a credential provider, then removing the password credential provider (optional, but necessary for enforcement). There are some downsides to this, but it's better than GINA replacement days of yore.

    • bassoprofundo

      Check Paul's link to the Microsoft info on it. There are a bunch of caveats that I have to think will keep a lot of us from going fully password-less for some time... :(

      Does a passwordless account work with all apps and services?

      No. Some older versions of Windows, apps, and services still need a password. Please continue to use a password if you use any of the following:

      1. Xbox 360
      2. Office 2010 or earlier
      3. Office for Mac 2011 or earlier
      4. Products and services which use IMAP and POP email services
      5. Windows 8.1, Windows 7 or earlier
      6. Some Windows features including Remote Desktop and Credential Manager
      7. Some command line and task scheduler services.

      • pachi

        As far as I know Outlook desktop doesnt even support two factor yet does it? I recall having to create an app password for it even in the newest version.

        • IanYates82

          Your recollection is right, depending on when you set it up. I had to do the same back when I forced 2fa originally, but Outlook 2016+, from memory, has supported 2fa via MS authenicator, and now supports any MS-supported approach.

        • bluvg

          On the Exchange Online side, Outlook uses browser-based auth, so you can use MFA, FIDO2 tokens, etc.

      • timwakeling

        I was also about to dive in until I saw the list of exceptions. There are some very large and well used apps and services in that list, which makes me think going passwordless at this stage is likely to backfire for many. I've no doubt it's the future, but more services may need upgrading or time passing before that is a good idea.

  10. justme

    While I have no doubt passwordless is the future, I am skeptical of this implementation given the list of exceptions. I do wonder if this will cause as much grief as it helps.

Leave a Reply