Tip: Switch to Microsoft for Password Management and Autofill

Posted on March 14, 2021 by Paul Thurrott in Cloud, Microsoft Consumer Services, Microsoft Edge with 54 Comments

Last month, Microsoft announced the availability of Microsoft account-based password autofill capabilities across platforms. Since then, I’ve been using Microsoft’s system for managing and auto-filling passwords across the web (using Edge), Android, and iPhone/iPad. And while there are still some features I’d like to see—like strong password generation—I feel that this system is mature and capable enough to recommend. As important, it’s trustworthy.

I wish there was a name for this system, so I’ll just call it Microsoft-based password management for lack of a better term. There are two key components, a supported desktop web browser, which can be either Microsoft Edge or Google Chrome, and Microsoft Authenticator, a mobile app that, to date, had been used solely to help implement Microsoft’s passwordless vision with its 2FA (two-factor authentication) capabilities.

Most people, of course, use Google Chrome, and you can add the desktop version of that browser into the Microsoft-based password management by installing the Microsoft Autofill extension. If you’re using Edge, as I am, this isn’t necessary. (And I assume that most Edge users did what I did, which is to import their Chrome data, including passwords, into the new browser whenever they switched over.)

Whichever browser you are using, the assumption here is that you’re using this browser now to manage your online account passwords and that you’d like to have those passwords sync to mobile so that you can sign-in to apps on the web (preferably using Microsoft Edge) and via apps on iPhone, iPad, and/or Android.

(If you are using a third-party password manager and want to switch to Microsoft-based password management, you will need to export passwords from that product into a CSV file and then import them into Edge, Chrome, or the Microsoft Authenticator app first. I have not tested this, sorry.)

The next step is to download and install the Microsoft Authenticator app on your mobile devices and sign-in to your Microsoft account. Android users can find the link here. And iPhone and iPad users can find the link here. The app works identically on both platforms, with only small authentication differences related to how you sign-in on your device (Touch ID, Face ID, fingerprint sensor, etc.).

Microsoft Authenticator now offers two main views, Authenticator and Passwords, which are accessed via tabs at the bottom of the app display. The Authenticator view provides the 2FA functionality, and you will see a list of the accounts you’ve configured, which can including Microsoft-based accounts and third-party accounts. (At the very least, you should see the Microsoft account with which you will sync passwords.)

Passwords is new, and you should see a red dot on its icon indicating that. When you enter this view, you will be prompted to sync your passwords with your Microsoft account.

After a short period of time in which Authenticator syncs your passwords, the list of your passwords appears alphabetically in the Passwords view. And you’re prompted to set Authenticator as your autofill provider.

How you do this varies a bit between Android and Apple’s platforms.

On Android, all you have to do is select the box next to “Fill and save your passwords on apps and sites your visit,” and you’ll be navigated directly into the correct location in Android settings, where you can choose “Authenticator” instead of “Google” (or whatever you were using before). There is no other step.

On iPhone and iPad, you have a little bit more work to do: Microsoft provides a screen that explains that you need to “look for Autofill Passwords in the Settings app” and then select Microsoft Authenticator and “unselect iCloud Keychain” to make the former the default.

To do so, open Settings and pull down on the top to display the search box. Search for “Autofill.”

Then, select “AutoFill Passwords.”

Here, select “AutoFill Passwords.”

Here, select Authenticator. A new screen will appear indicating that autofill is enabled and reminding you that you need to “uncheck Keychain” to make Microsoft Authenticator the default.

When you tap “Back to Settings,” you will see that both iCloud Keychain and Authenticator are configured to autofill passwords.

To complete the switch, deselect (uncheck) iCloud Keychain. You’re finally done.

I have configured my Google Pixel 4a 5G and Apple iPad this way (and also my iPhone 11 Pro Max, which I don’t use regularly at the moment). And if you’re going to switch over to Microsoft-based password management, it makes sense to do likewise across whichever devices you are using.

 

Tagged with

Join the discussion!

BECOME A THURROTT MEMBER:

Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate

Register
Comments (62)

62 responses to “Tip: Switch to Microsoft for Password Management and Autofill”

  1. Avatar

    simard57

    Would this also work with the Brave browser?

    asking for a friend!

  2. Avatar

    jlmerrill

    When it has all the features of Last Pass the I will change.

  3. Avatar

    cliffordsf

    In reply to blue77star:
    What? I can't remember the last time I had to adjust the time on a Windows device when the time changed. Even my Windows Phones did this.
  4. Avatar

    davidmco65

    I'm sorry, but anybody that trusts Microsoft after the numerous security vulnerabilities that have been exposed, along with Microsoft's complete lack of priority fixing theses issues is literally asking to be compromised.


    Use Bitwarden or 1password. Just Google "Microsoft security".

  5. Avatar

    Craig Smith

    In reply to blue77star:

    I visit Linux sites for exactly the same reason you visit this site. To talk about how much I hate Linux. It's a totally efficient use of my time as an adult. :-)

  6. Avatar

    wright_is

    In reply to blue77star:

    Interesting, I've never had it fail to switch daylight saving time, it has been just as reliable as Linux, in my experience.

  7. Avatar

    chippy_boy

    Sorry but there's s very good reason why you should NOT use Microsoft to store all your passwords: It is not safe!


    For some unfathomable reason, Microsoft think it is acceptable to insist on sending 2FA codes and push notifications to your mobile if a hacker cannot get in and asks to login by another method.


    This means everyone relying on Microsoft is vulnerable to SIM swap fraud. It's no use supporting WebAuthn, FIFO2, U2F and security keys etc if all a hacker has to do is call your mobile operator with your personal details obtained from the dark web, get a new SIM card and away they go.


    Even without a SIM swap, if a hacker manages to find your password, and you get a 2FA push at 3 O'clock in the morning, it's far too easy whilst fumbling around in the dark to accidentally accept the request.


    It should be possible to mandate ONLY secure 2FA methods, such as Authenticator or (better) U2F security key. So unless/until Microsoft realise this, it is IMO far too risky to trust them to store e.g. your bank login details.

    • Avatar

      ram42

      In reply to chippy_boy:


      I would agree this particular setup is not safe--though for a different reason. If you are inattentive when clearing browser temp files, you could wipe out your entire password vault. I previously used Lastpass, recently switched to Bitwarden. I don't see any way to purge the vault in the Bitwarden browser extension, you have to login to the web vault and go a few levels deep to find that option--I would assume Lastpass is the same. Considering the amount of information and important logins I store there, I don't like having the ability to erase it all just a couple commands away in the Clear Browsing Data window.

    • Avatar

      Paul Thurrott

      Microsoft does not "insist" on sending codes via SMS. It has several other methods you can configure for 2FA, including email and standalone codes.
    • Avatar

      Mike Turner

      In reply to chippy_boy:

      I wouldn't describe getting a push notification, tapping it, getting taken to the Authenticator app (which app locks by default these days), then providing your PIN/biometrics as something that you can "accidentally" do very easily. Plus, in one breath you describe this as not secure, then the next you call Authenticator a secure 2FA method.

  8. Avatar

    rickeveleigh

    I don't see a Passwords option in Authenticator.

  9. Avatar

    maktaba

    I can’t use it as it doesn’t support manually adding usernames and passwords (yet).

  10. Avatar

    fishnet37222

    They need to add support for Firefox.

  11. Avatar

    JHawkZZ

    Thanks for the tip Paul! Going to add this to the list of things to evaluate given LastPass's free tier getting crippled.

  12. Avatar

    KingPCGeek

    In reply to blue77star:

    Never see a Windows PC not switch for DST.

  13. Avatar

    crunchyfrog

    I have tried using MS Authenticator as a go-to for authentication codes but had to move from using it except for my MS account. The biggest issues are:

    No solid cross platform uniformity. If you use iOS and Android, be prepared to do everything twice.

    No solid backup and restore when you get a new device. On iOS I selected the iCloud backup option but if you reset your iPhone there's no way to restore your authentication codes and it fails every time. Researching this online found this is a problem for many.

  14. Avatar

    tonytech

    I would switch if I could have folders and the ability to import from Lastpass or Bitwarrent

  15. Avatar

    Daekar

    Been doing this for a while, and it is the best password experience I've had so far. Great recommendation, Paul!

  16. Avatar

    jdawgnoonan

    I am using this and really like it. I have never used any other password managers. Now I wish that Microsoft would release a version of Authenitcator for Windows.

  17. Avatar

    rmlounsbury

    I moved over once this feature was first available (importing accounts from 1Password was pain pre-CSV import option). The only issue I've been having consistently is sites are inconsistent when they will and won't fill. It seems to be an issue with a match of the login URL vs. the stored URL from 1Password. Seems odd so many sites that worked fine in 1Password but don't work at all using Edge and the stored password/Authenticator route. It's a pain but I'm slowly getting through re-saving credentials which fixes auto fill.


    I also find that Authenticator doesn't pop very often for filling in logins with apps as well. Could be the same issue as above.


    In general this does work well my unique issue aside. I even migrated my 2FA setup to Authenticator as well which has been an excellent experience.

  18. Avatar

    hastin

    I moved my passwords/OTPs over from LastPass to Microsoft Authenticator/Passwords have there's basically two main bummers - no way to manually add passwords, and no reminders for a password rotation policy.

    • Avatar

      ram42

      In reply to hastin:


      I tested the Edge/Authenticator combo when LastPass made the news, and it is a slick setup. But the inability to manually add items to the vault killed it as an option for me. In Lastpass (and now Bitwarden) I make use of the notes features, store non-login account info, etc. In addition, Edge does not reliably detect login situations on web pages, preventing you from adding credentials for those sites to your password vault. A non-starter as it is right now, unless Microsoft chooses to flesh out the system a bit more.

  19. Avatar

    johnny777

    What's the secret to get this to work with my Android apps and populate my app passwords (i.e. bank) as Lastpass is able to do?

  20. Avatar

    JerryH

    Looks like it is getting closer. I still need to have the ability to share certain passwords with my spouse, etc. and have the recovery function (where a surviving spouse or the like requests access and if no answer in say 7 days they get access to all passwords). Once they add those it may be time to switch from LastPass's family plan.

  21. Avatar

    Kudupa

    Problem i have noticed is the inability of the Authenticator to work over other apps and help me to fill passwords & Username like Lastpass or similar managers.

    While within a browser, this ability is great but i don't think this works well for or with other apps on a mobile device yet.

  22. Avatar

    silvere

    That's fine if you're happy for your desktop browser to save your passwords. But it means you have to keep your PC secure whenever you're not sat in front of it - even (especially?) at home if your kids might go and buy stuff. Not only will Edge autofill your passwords, it will display them all any time you look in Settings. I'll stick with Lastpass or Bitwarden which can be locked with a password.


    The same goes for payment cards - I hadn't tried saving them in Edge, and I won't.


    BTW, the MS Authenticator app is not solely for MS passwordless, it generates standard TOTP codes for any site that uses them, such as Amazon and Zoho.

  23. Avatar

    big_swifty

    What happens to your current password list? Does it incorporate your current password list?


  24. Avatar

    simonmartindye

    Not seeing that button on mine in iOS. What version did this start?

  25. Avatar

    minke

    None of the browser password managers include the features needed in a full-featured password manager. I store many important notes with most passwords. Things like security questions, date created, email used, and other notes on how the site works or what it is for. For example, to recover access to some accounts you can use a one-time code that needs to be stored safely somewhere. To get back into Gmail they often ask for the date the account was created, and that needs to be stored somewhere. I also store things like drivers license and passport information, personal details of family members that need more security, stuff like that. It is nice to have it all in one place and available.

  26. Avatar

    ponsaelius

    I started using this a couple of months ago when I saw a post on the Microsoft Techcommunity. Subsequently, I went full time over to it about a day before LastPass removed their multiple device free tier.


    It has made me standardise on Edge as a browser. It seems to work quite well and I trust it will be secure with Microsoft.


    I would like some more management features. Password generation is obviously one. I also find in sites which ask you to put your username in before the password prompt it gets confused.


    Some websites I use have a work Id and a personal one. It gets confused then too.


    Overall this is a welcome move and will help Microsoft in the security space. The only issue is that Microsoft seem to announce this is obscure blog posts rather than with some more consumer friendly approach to tell people how this is a good thing.


    Their ability not to communicate information very well helps journalists write about stuff tho.

  27. Avatar

    sjgibb99

    Let me guess, they still don't allow you to back Authenticator to work based Microsoft Accounts. It's a real pain that we are encouraged to setup MFA for secure business, yet MS won't let those same business users backup to their 365 user account.

  28. Avatar

    gronman

    I have been trying this solution for some time now, but the authenticator app in my android phone refuses to sync my passwords.

  29. Avatar

    jgoraya

    Great article Paul. Needed to get off LastPass was going to switch to 1Password but liked this even better.

  30. Avatar

    DavidSlade

    This all would be good but syncing passwords in Authenticator consistently fails for me. It displays sync failed.

  31. Avatar

    johnfeil

    Seems to work really well. Generation of strong passwords would be a great addition.

Leave a Reply