Tip: Switch to Microsoft for Password Management and Autofill

Last month, Microsoft announced the availability of Microsoft account-based password autofill capabilities across platforms. Since then, I’ve been using Microsoft’s system for managing and auto-filling passwords across the web (using Edge), Android, and iPhone/iPad. And while there are still some features I’d like to see—like strong password generation—I feel that this system is mature and capable enough to recommend. As important, it’s trustworthy.

I wish there was a name for this system, so I’ll just call it Microsoft-based password management for lack of a better term. There are two key components, a supported desktop web browser, which can be either Microsoft Edge or Google Chrome, and Microsoft Authenticator, a mobile app that, to date, had been used solely to help implement Microsoft’s passwordless vision with its 2FA (two-factor authentication) capabilities.

Windows Intelligence In Your Inbox

Sign up for our new free newsletter to get three time-saving tips each Friday — and get free copies of Paul Thurrott's Windows 11 and Windows 10 Field Guides (normally $9.99) as a special welcome gift!

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Most people, of course, use Google Chrome, and you can add the desktop version of that browser into the Microsoft-based password management by installing the Microsoft Autofill extension. If you’re using Edge, as I am, this isn’t necessary. (And I assume that most Edge users did what I did, which is to import their Chrome data, including passwords, into the new browser whenever they switched over.)

Whichever browser you are using, the assumption here is that you’re using this browser now to manage your online account passwords and that you’d like to have those passwords sync to mobile so that you can sign-in to apps on the web (preferably using Microsoft Edge) and via apps on iPhone, iPad, and/or Android.

(If you are using a third-party password manager and want to switch to Microsoft-based password management, you will need to export passwords from that product into a CSV file and then import them into Edge, Chrome, or the Microsoft Authenticator app first. I have not tested this, sorry.)

The next step is to download and install the Microsoft Authenticator app on your mobile devices and sign-in to your Microsoft account. Android users can find the link here. And iPhone and iPad users can find the link here. The app works identically on both platforms, with only small authentication differences related to how you sign-in on your device (Touch ID, Face ID, fingerprint sensor, etc.).

Microsoft Authenticator now offers two main views, Authenticator and Passwords, which are accessed via tabs at the bottom of the app display. The Authenticator view provides the 2FA functionality, and you will see a list of the accounts you’ve configured, which can including Microsoft-based accounts and third-party accounts. (At the very least, you should see the Microsoft account with which you will sync passwords.)

Passwords is new, and you should see a red dot on its icon indicating that. When you enter this view, you will be prompted to sync your passwords with your Microsoft account.

After a short period of time in which Authenticator syncs your passwords, the list of your passwords appears alphabetically in the Passwords view. And you’re prompted to set Authenticator as your autofill provider.

How you do this varies a bit between Android and Apple’s platforms.

On Android, all you have to do is select the box next to “Fill and save your passwords on apps and sites your visit,” and you’ll be navigated directly into the correct location in Android settings, where you can choose “Authenticator” instead of “Google” (or whatever you were using before). There is no other step.

On iPhone and iPad, you have a little bit more work to do: Microsoft provides a screen that explains that you need to “look for Autofill Passwords in the Settings app” and then select Microsoft Authenticator and “unselect iCloud Keychain” to make the former the default.

To do so, open Settings and pull down on the top to display the search box. Search for “Autofill.”

Then, select “AutoFill Passwords.”

Here, select “AutoFill Passwords.”

Here, select Authenticator. A new screen will appear indicating that autofill is enabled and reminding you that you need to “uncheck Keychain” to make Microsoft Authenticator the default.

When you tap “Back to Settings,” you will see that both iCloud Keychain and Authenticator are configured to autofill passwords.

To complete the switch, deselect (uncheck) iCloud Keychain. You’re finally done.

I have configured my Google Pixel 4a 5G and Apple iPad this way (and also my iPhone 11 Pro Max, which I don’t use regularly at the moment). And if you’re going to switch over to Microsoft-based password management, it makes sense to do likewise across whichever devices you are using.


Tagged with

Share post

Please check our Community Guidelines before commenting

Conversation 62 comments

  • simard57

    14 March, 2021 - 11:49 am

    <p>Would this also work with the Brave browser?</p><p>asking for a friend!</p>

    • bart

      Premium Member
      14 March, 2021 - 12:41 pm

      <blockquote><em><a href="#618037">In reply to Simard57:</a></em></blockquote><p>Use the same Chrome extension</p>

    • Paul Thurrott

      Premium Member
      15 March, 2021 - 9:01 am

      Most likely, that Chrome extension should work on Brave. But I have not tried that.

  • Kudupa

    14 March, 2021 - 11:49 am

    <p>Problem i have noticed is the inability of the Authenticator to work over other apps and help me to fill passwords &amp; Username like Lastpass or similar managers. </p><p>While within a browser, this ability is great but i don't think this works well for or with other apps on a mobile device yet. </p>

    • bart

      Premium Member
      14 March, 2021 - 12:40 pm

      <blockquote><em><a href="#618038">In reply to Kudupa:</a></em></blockquote><p>It should work as Authenticator is now the app you can select to autofill passwords. Bug maybe?</p>

  • silvere

    14 March, 2021 - 12:16 pm

    <p>That's fine if you're happy for your desktop browser to save your passwords. But it means you have to keep your PC secure whenever you're not sat in front of it – even (especially?) at home if your kids might go and buy stuff. Not only will Edge autofill your passwords, it will display them all any time you look in Settings. I'll stick with Lastpass or Bitwarden which can be locked with a password. </p><p><br></p><p>The same goes for payment cards – I hadn't tried saving them in Edge, and I won't.</p><p><br></p><p>BTW, the MS Authenticator app is not solely for MS passwordless, it generates standard TOTP codes for any site that uses them, such as Amazon and Zoho.</p>

    • bart

      Premium Member
      14 March, 2021 - 12:42 pm

      <blockquote><em><a href="#618040">In reply to silvere:</a></em></blockquote><p>On my Surface Laptop 3, before revealing any passwords in Edge, Windows Hello is activated to protect your passwords.</p>

      • silvere

        14 March, 2021 - 7:28 pm

        <blockquote><em><a href="#618045">In reply to Bart:</a></em></blockquote><p>Lucky you. But what if you don't have Hello on your PC? Just proves that MS know it's an issue but can only fix it for the favoured few. And does it stop autofill – you don't need to actually see the password.</p>

    • Mike Turner

      14 March, 2021 - 2:04 pm

      <blockquote><em><a href="#618040">In reply to silvere:</a></em></blockquote><p><br></p><p>This is why Windows has profiles. Set up each person with a profile, don't tell the kids your password, job done. </p>

      • silvere

        14 March, 2021 - 7:27 pm

        <blockquote><em><a href="#618052">In reply to turnma:</a></em></blockquote><p>Um, that's my point. You have to log off every time you leave your PC. Even if your kids have their own PCs so don't need to share yours.</p>

        • Mike Turner

          15 March, 2021 - 10:46 am

          <blockquote><em><a href="#618088">In reply to silvere:</a></em></blockquote><p>No you don't, you just lock it. Why would you log off? I don't understand why you're willing to lock Lastpass with a password, which protects some of your things, but you're not willing to lock Windows instead, which protects all of your things.</p>

    • wright_is

      Premium Member
      15 March, 2021 - 3:51 am

      <blockquote><em><a href="#618040">In reply to silvere:</a></em></blockquote><p>I always lock my PC when I leave it running and my wife and kids each have their own accounts. </p><p>But I still use 1Password.</p>

    • Paul Thurrott

      Premium Member
      15 March, 2021 - 8:58 am

      You should always keep your PC secure. Also, all of your devices.

  • big_swifty

    14 March, 2021 - 12:25 pm

    <p>What happens to your current password list? Does it incorporate your current password list?</p><p><br></p>

    • bart

      Premium Member
      14 March, 2021 - 12:41 pm

      <blockquote><em><a href="#618041">In reply to Big_Swifty:</a></em></blockquote><p>You can export/import all your passwords</p>

  • JerryH

    Premium Member
    14 March, 2021 - 1:04 pm

    <p>Looks like it is getting closer. I still need to have the ability to share certain passwords with my spouse, etc. and have the recovery function (where a surviving spouse or the like requests access and if no answer in say 7 days they get access to all passwords). Once they add those it may be time to switch from LastPass's family plan.</p>

  • simonmartindye

    14 March, 2021 - 2:08 pm

    <p>Not seeing that button on mine in iOS. What version did this start?</p>

    • Paul Thurrott

      Premium Member
      15 March, 2021 - 8:56 am

      You may not see it if you have a Microsoft work (AAD) account configured. That’s going to change over time.

  • ponsaelius

    14 March, 2021 - 2:21 pm

    <p>I started using this a couple of months ago when I saw a post on the Microsoft Techcommunity. Subsequently, I went full time over to it about a day before LastPass removed their multiple device free tier.</p><p><br></p><p>It has made me standardise on Edge as a browser. It seems to work quite well and I trust it will be secure with Microsoft.</p><p><br></p><p>I would like some more management features. Password generation is obviously one. I also find in sites which ask you to put your username in before the password prompt it gets confused.</p><p><br></p><p>Some websites I use have a work Id and a personal one. It gets confused then too.</p><p><br></p><p>Overall this is a welcome move and will help Microsoft in the security space. The only issue is that Microsoft seem to announce this is obscure blog posts rather than with some more consumer friendly approach to tell people how this is a good thing.</p><p><br></p><p>Their ability not to communicate information very well helps journalists write about stuff tho.</p>

  • sjgibb99

    14 March, 2021 - 2:43 pm

    <p>Let me guess, they still don't allow you to back Authenticator to work based Microsoft Accounts. It's a real pain that we are encouraged to setup MFA for secure business, yet MS won't let those same business users backup to their 365 user account. </p>

    • Paul Thurrott

      Premium Member
      15 March, 2021 - 8:54 am

      Yeah, I’m hearing that people who have a work-based Microsoft account (AAD) don’t even see the Passwords tab too.

      • Mike Turner

        15 March, 2021 - 10:45 am

        <blockquote><em><a href="#618162">In reply to paul-thurrott:</a></em></blockquote><p>Work-based accounts for me on iOS and Android still show the Passwords tab.</p><p><br></p><p>The other point, about backing up, was because many businesses didn't want the risk of corporate credentials being backed up to a personal data store.</p>

    • igor engelen

      15 March, 2021 - 5:15 pm

      <blockquote><em><a href="#618062">In reply to sjgibb99:</a></em></blockquote><p>I just clicked my company account in the authenticator app and it looks like registering my device should enable the functionality but fails. Not sure where exactly.</p>

  • gronman

    14 March, 2021 - 2:45 pm

    <p>I have been trying this solution for some time now, but the authenticator app in my android phone refuses to sync my passwords.</p>

  • jgoraya

    14 March, 2021 - 3:34 pm

    <p>Great article Paul. Needed to get off LastPass was going to switch to 1Password but liked this even better.</p>

    • wright_is

      Premium Member
      15 March, 2021 - 3:47 am

      <blockquote><em><a href="#618067">In reply to jgoraya:</a></em></blockquote><p>It is still missing some things for me. I have a family account and we share some passwords, for example.</p><p>I switched to 1Password, they are a great bunch of people, very enthusiastic about their product and react quickly. I've been impressed so far.</p>

    • KingPCGeek

      Premium Member
      15 March, 2021 - 4:43 pm

      <blockquote><em><a href="#618067">In reply to jgoraya:</a></em></blockquote><p>I have been a loyal user of RoboForm for probably 15 years. They rewrote the browser extensions from the ground up in December. Now it is the most loathed product that I use. </p>

  • DavidSlade

    Premium Member
    14 March, 2021 - 6:08 pm

    <p>This all would be good but syncing passwords in Authenticator consistently fails for me. It displays sync failed.</p>

    • DavidSlade

      Premium Member
      15 March, 2021 - 11:46 pm

      <blockquote><em><a href="#618083">In reply to DavidSlade:</a></em></blockquote><p>I found the issue: Errors in the password list that causes syncing failures. I cleaned up some passwords in Edge settings and it works now.</p>

  • johnfeil

    14 March, 2021 - 7:02 pm

    <p>Seems to work really well. Generation of strong passwords would be a great addition.</p>

  • minke

    14 March, 2021 - 8:11 pm

    <p>None of the browser password managers include the features needed in a full-featured password manager. I store many important notes with most passwords. Things like security questions, date created, email used, and other notes on how the site works or what it is for. For example, to recover access to some accounts you can use a one-time code that needs to be stored safely somewhere. To get back into Gmail they often ask for the date the account was created, and that needs to be stored somewhere. I also store things like drivers license and passport information, personal details of family members that need more security, stuff like that. It is nice to have it all in one place and available. </p>

    • rosyna

      15 March, 2021 - 3:54 am

      <blockquote><em><a href="#618090">In reply to Minke:</a></em></blockquote><p><br></p><p>thats where Notes.app comes in with secure notes.</p>

    • fishnet37222

      Premium Member
      15 March, 2021 - 10:27 am

      <blockquote><em><a href="#618090">In reply to Minke:</a></em></blockquote><p>That's why I use LastPass. I can store software license keys along with my passwords.</p>

      • tomker

        Premium Member
        15 March, 2021 - 12:13 pm

        <blockquote><em><a href="#618182">In reply to fishnet37222:</a></em></blockquote><p>I've been doing that with LP for years also. BUT, if you want to move the MS Authenticator and you're already in the MS ecosystem you can use the OneDrive Personal Vault to store all those notes. With all the bruhaha boiling around LP lately I've been toying with the concept of moving off LP to another tool. I'm not there yet, but I have discovered that all those secondary uses for LP can be replicated into OneDrive Personal Vault. It's just not as elegant.</p>

    • tony_ansley

      Premium Member
      15 March, 2021 - 12:11 pm

      <blockquote><em><a href="#618090">In reply to Minke:</a></em></blockquote><p>This is why I use Roboform. These browser solutions are just not "complete" solutions.</p><p><br></p><p><br></p>

  • jlmerrill

    14 March, 2021 - 10:31 pm

    <p>When it has all the features of Last Pass the I will change.</p>

  • cliffordsf

    14 March, 2021 - 11:37 pm

    <blockquote><a href="#618096"><em>In reply to blue77star:</em></a></blockquote><blockquote>What? I can't remember the last time I had to adjust the time on a Windows device when the time changed. Even my Windows Phones did this. </blockquote>

  • davidmco65

    15 March, 2021 - 12:10 am

    <p>I'm sorry, but anybody that trusts Microsoft after the numerous security vulnerabilities that have been exposed, along with Microsoft's complete lack of priority fixing theses issues is literally asking to be compromised.</p><p><br></p><p>Use Bitwarden or 1password. Just Google "Microsoft security".</p>

    • Paul Thurrott

      Premium Member
      15 March, 2021 - 8:50 am

      Then look up how many customers Microsoft has compared to those companies and extrapolate.

    • Mike Turner

      15 March, 2021 - 10:40 am

      <blockquote><em><a href="#618100">In reply to davidmco65:</a></em></blockquote><p>They're <em>literally </em>not asking that.</p>

  • Craig Smith

    15 March, 2021 - 12:22 am

    <blockquote><em><a href="#618096">In reply to blue77star:</a></em></blockquote><p>I visit Linux sites for exactly the same reason you visit this site. To talk about how much I hate Linux. It's a totally efficient use of my time as an adult. :-)</p>

    • Paul Thurrott

      Premium Member
      15 March, 2021 - 8:49 am

      I hope that’s not true.

  • wright_is

    Premium Member
    15 March, 2021 - 3:49 am

    <blockquote><em><a href="#618096">In reply to blue77star:</a></em></blockquote><p>Interesting, I've never had it fail to switch daylight saving time, it has been just as reliable as Linux, in my experience.</p>

  • chippy_boy

    15 March, 2021 - 4:35 am

    <p>Sorry but there's s very good reason why you should NOT use Microsoft to store all your passwords: It is not safe!</p><p><br></p><p>For some unfathomable reason, Microsoft think it is acceptable to insist on sending 2FA codes and push notifications to your mobile if a hacker cannot get in and asks to login by another method.</p><p><br></p><p>This means everyone relying on Microsoft is vulnerable to SIM swap fraud. It's no use supporting WebAuthn, FIFO2, U2F and security keys etc if all a hacker has to do is call your mobile operator with your personal details obtained from the dark web, get a new SIM card and away they go.</p><p><br></p><p>Even without a SIM swap, if a hacker manages to find your password, and you get a 2FA push at 3 O'clock in the morning, it's far too easy whilst fumbling around in the dark to accidentally accept the request.</p><p><br></p><p>It should be possible to mandate ONLY secure 2FA methods, such as Authenticator or (better) U2F security key. So unless/until Microsoft realise this, it is IMO far too risky to trust them to store e.g. your bank login details.</p>

    • Paul Thurrott

      Premium Member
      15 March, 2021 - 8:49 am

      Microsoft does not “insist” on sending codes via SMS. It has several other methods you can configure for 2FA, including email and standalone codes.

    • Mike Turner

      15 March, 2021 - 10:39 am

      <blockquote><em><a href="#618109">In reply to chippy_boy:</a></em></blockquote><p>I wouldn't describe getting a push notification, tapping it, getting taken to the Authenticator app (which app locks by default these days), then providing your PIN/biometrics as something that you can "accidentally" do very easily. Plus, in one breath you describe this as not secure, then the next you call Authenticator a secure 2FA method.</p>

    • ram42

      16 March, 2021 - 4:38 pm

      <blockquote><em><a href="#618109">In reply to chippy_boy:</a></em></blockquote><p><br></p><p>I would agree this particular setup is not safe–though for a different reason. If you are inattentive when clearing browser temp files, you could wipe out your entire password vault. I previously used Lastpass, recently switched to Bitwarden. I don't see any way to purge the vault in the Bitwarden browser extension, you have to login to the web vault and go a few levels deep to find that option–I would assume Lastpass is the same. Considering the amount of information and important logins I store there, I don't like having the ability to erase it all just a couple commands away in the Clear Browsing Data window.</p>

  • rickeveleigh

    Premium Member
    15 March, 2021 - 5:28 am

    <p>I don't see a Passwords option in Authenticator.</p>

    • rickeveleigh

      Premium Member
      15 March, 2021 - 5:34 am

      <blockquote><em><a href="#618112">In reply to RickEveleigh:</a></em></blockquote><p>Because of my work's policy. Issue closed.</p>

  • maktaba

    15 March, 2021 - 6:38 am

    <p>I can’t use it as it doesn’t support manually adding usernames and passwords (yet).</p>

  • fishnet37222

    Premium Member
    15 March, 2021 - 8:25 am

    <p>They need to add support for Firefox.</p>

  • JHawkZZ

    15 March, 2021 - 4:25 pm

    <p>Thanks for the tip Paul! Going to add this to the list of things to evaluate given LastPass's free tier getting crippled.</p>

  • KingPCGeek

    Premium Member
    15 March, 2021 - 4:46 pm

    <blockquote><em><a href="#618096">In reply to blue77star:</a></em></blockquote><p>Never see a Windows PC not switch for DST.</p>

  • crunchyfrog

    15 March, 2021 - 4:59 pm

    <p>I have tried using MS Authenticator as a go-to for authentication codes but had to move from using it except for my MS account. The biggest issues are:</p><p>No solid cross platform uniformity. If you use iOS and Android, be prepared to do everything twice.</p><p>No solid backup and restore when you get a new device. On iOS I selected the iCloud backup option but if you reset your iPhone there's no way to restore your authentication codes and it fails every time. Researching this online found this is a problem for many.</p>

  • tonytech

    15 March, 2021 - 5:33 pm

    <p>I would switch if I could have folders and the ability to import from Lastpass or Bitwarrent </p>

  • Daekar

    15 March, 2021 - 5:41 pm

    <p>Been doing this for a while, and it is the best password experience I've had so far. Great recommendation, Paul! </p>

  • jdawgnoonan

    15 March, 2021 - 5:57 pm

    <p>I am using this and really like it. I have never used any other password managers. Now I wish that Microsoft would release a version of Authenitcator for Windows. </p>

  • rmlounsbury

    Premium Member
    15 March, 2021 - 7:49 pm

    <p>I moved over once this feature was first available (importing accounts from 1Password was pain pre-CSV import option). The only issue I've been having consistently is sites are inconsistent when they will and won't fill. It seems to be an issue with a match of the login URL vs. the stored URL from 1Password. Seems odd so many sites that worked fine in 1Password but don't work at all using Edge and the stored password/Authenticator route. It's a pain but I'm slowly getting through re-saving credentials which fixes auto fill. </p><p><br></p><p>I also find that Authenticator doesn't pop very often for filling in logins with apps as well. Could be the same issue as above. </p><p><br></p><p>In general this does work well my unique issue aside. I even migrated my 2FA setup to Authenticator as well which has been an excellent experience. </p>

  • hastin

    Premium Member
    16 March, 2021 - 3:21 pm

    <p>I moved my passwords/OTPs over from LastPass to Microsoft Authenticator/Passwords have there's basically two main bummers – no way to manually add passwords, and no reminders for a password rotation policy.</p>

    • ram42

      16 March, 2021 - 4:48 pm

      <blockquote><em><a href="#618389">In reply to hastin:</a></em></blockquote><p><br></p><p>I tested the Edge/Authenticator combo when LastPass made the news, and it is a slick setup. But the inability to manually add items to the vault killed it as an option for me. In Lastpass (and now Bitwarden) I make use of the notes features, store non-login account info, etc. In addition, Edge does not reliably detect login situations on web pages, preventing you from adding credentials for those sites to your password vault. A non-starter as it is right now, unless Microsoft chooses to flesh out the system a bit more.</p>

  • johnny777

    24 March, 2021 - 5:34 pm

    <p>What's the secret to get this to work with my Android apps and populate my app passwords (i.e. bank) as Lastpass is able to do? </p>

    • Paul Thurrott

      Premium Member
      25 March, 2021 - 8:40 am

      There’s nothing else to do. If you follow these instructions, that will work.

Windows Intelligence In Your Inbox

Sign up for our new free newsletter to get three time-saving tips each Friday

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Thurrott © 2024 Thurrott LLC