informa
/
Endpoint
Quick Hits

Microsoft Lets Users Fully Remove Account Passwords

Users can now delete passwords from their Microsoft account and instead use Windows Hello, Microsoft Authenticator, or physical security keys to log in.

Microsoft is giving users the option to fully remove passwords from their accounts and instead log in to apps and services with the Microsoft Authenticator app, security key, its Windows Hello biometrics system, or a verification code sent to their phone or email.

Enterprise users have had the option to adopt passwordless login for a few months now, though they can't yet fully remove passwords from their accounts. Back in March, Microsoft made passwordless sign-in generally available for its commercial users following a public preview that started in July 2019. The pilot led to new features to improve credentials management such as Authentication methods management, step-up authentication, and passwordless APIs.

Now, Microsoft is extending the option to consumer accounts as well. Windows users can delete the password from their Microsoft account or create a new account with no password. They'll need to visit "Advanced Security Options" in their Microsoft account, select "Passwordless Account", and follow the on-screen prompts. The feature will be rolled out over the coming weeks.

In a blog post, Vasu Jakkal, Microsoft's corporate vice president of security, compliance, and identity explains why the company wants to give people more options. Most create their own passwords, with the exception of auto-generated passwords that are "nearly impossible to remember," she writes. One in ten people admit to reusing passwords across sites, 15% use pets' names, and one-third would rather stop using an account than deal with a lost password.

"That's not only a problem for the person stuck in the password cycle, but also for businesses losing customers," Jakkal adds.

Joy Chik, Microsoft's corporate vice president of Engineering, Enterprise Mobility, and Security, says in a separate blog post that the company will soon start working to remove passwords for Azure AD accounts as well.

"Administrators will be able to choose whether passwords are required, allowed, or simply don't exist for a set of users," she writes. "Users will be able to choose not to set a password when creating an account or to remove their password from an existing account."

Read Vasu Jakkal's full blog post for more details.

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5