Microsoft to let users completely remove account passwords and go passwordless
Microsoft has announced today that it intends to let users remove the passwords from their Microsoft accounts and go passwordless.
In a change that will be rolled out in the coming weeks, Microsoft said that users would be able to remove the password from their consumer account and choose an alternative authentication option instead, such as:
- security keys;
- verification codes sent via email or SMS;
- the Windows Hello biometrics system;
- or the Microsoft Authenticator mobile app.
Today’s news comes after Microsoft piloted this new setup earlier this year, in March 2021, when it allowed Azure enterprise users to ditch passwords for safer alternatives.
Prior to its deployment in March and today, the feature had been widely requested by Microsoft’s enterprise customers.
System administrators and security engineers previously asked for a way to secure accounts against brute-force password-guessing attacks, which have been common after hackers dumped billions of user credentials on the public internet over the past decade.
In a blog post today announcing the move, Vasu Jakkal, Corporate Vice President for Microsoft Security, Compliance, Identity, and Management, said Microsoft is currently seeing a whopping 579 password attacks every second, amounting to 18 billion every year.
Jakkal blamed the situation on today’s authentication conundrum where users struggle with remembering account passwords and typically chose to reuse the same password for multiple accounts or use simple passwords — which are easy to guess by attackers.
“One of our recent surveys found that 15% of people use their pets’ names for password inspiration,” Jakkal said.
“Other common answers included family names and important dates like birthdays. One in 10 people admitted reusing passwords across sites, and 40% say they’ve used a formula for their passwords, like Fall2021, which eventually becomes Winter2021 or Spring2022,” she added.
Microsoft findings aren’t unique, and several other similar studies have found that users, in general, are pretty bad at choosing passwords, with the most common password found in public data breaches being “123456” for each of the last six years [1, 2].