A year after Microsoft announced passkeys support for consumer accounts, the tech giant has announced a big change that pushes individuals signing up for new accounts to use the phishing-resistant authentication method by default.
“Brand new Microsoft accounts will now be ‘passwordless by default,'” Microsoft’s Joy Chik and Vasu Jakkal said. “New users will have several passwordless options for signing into their account and they’ll never need to enroll a password. Existing users can visit their account settings to delete their password.”
The Windows maker said it has also simplified the sign-in and sign-up user experience by prioritizing passwordless methods. Furthermore, the sign-in process now automatically detects the best available method on a user’s account and sets that as the default.
For example, if an account has the option to sign in via a password and a “one time code,” the user will be prompted to login via one time code instead of the password. Once signed in, they will then be instructed to set up a passkey for optimal protection.
The latest move by Microsoft, along with its peers Apple, Google, Amazon, and others in recent years, represents a steady march toward a passwordless future. With password-based cyber-attacks continuing to be a lucrative initial access vector for bad actors, the adoption of passkeys heralds an important step for account security.
In September 2023, Microsoft rolled out support for passkeys in Windows 11, around the same time when Google made passkeys its default login method for all users globally. Then last year, it updated Windows Hello to support the technology.
Passkeys offer a more secure way of logging in to websites and applications by eliminating the need for passwords. Backed by the Fast Identity Online (FIDO) Alliance, passkeys rely on public/private key cryptography techniques to authenticate users.
Thus when a user registers with an online service, their client device (i.e., phone or PC) generates a new key pair. The private key is stored securely on the user’s device, while the public key is registered with the service.
During sign in, the client device uses the private key to sign a challenge after the device owner authenticates it using their biometric information (e.g., facial recognition or fingerprint).
In October 2024, the FIDO Alliance said it’s working with stakeholders to make passkeys and other credentials more easier to export across different providers and improve credential provider interoperability. More than 15 billion user accounts can sign in using passkeys instead of passwords as of December last year.
The open industry association, last month, also launched a Payments Working Group (PWG) to define and drive FIDO solutions for payment use cases.
The PWG is expected to “identify and evaluate existing and emerging solutions to address payment authentication requirement” and establish “guidelines for use of passkeys and/or proposed FIDO solutions along with existing payment technologies.”
