Ten years ago, Microsoft envisioned a bold future: a world free of passwords. Every year, we celebrate World Password Day by updating you on our progress toward eliminating passwords for good. Today, we’re announcing passkey support for Microsoft consumer accounts, the next step toward our vision of simple, safe access for everyone.
In 2015, when we introduced Windows Hello and Windows Hello for Business as secure ways to access Windows 10 without entering a password, our identity systems were detecting around 115 password attacks per second.1 Less than a decade later, that number has surged 3,378% to more than 4,000 password attacks per second.2 Password attacks are so popular because they still get results. It’s painfully clear that passwords are not sufficient for protecting our lives online. No matter how long and complicated you make your password, or how often you change it, it still presents a risk.
The good news is that we’ve made a lot of progress toward making passwords a relic of the past. For a while, you’ve been able to sign in to apps and websites using FIDO security keys, Windows Hello, or the Microsoft Authenticator app instead of a password. Since September 2021, you’ve not only been able to sign in to your Microsoft account without a password, but you’ve also been able to delete your password altogether.3 We’re almost there.
And now there’s an even better way to sign in to more places without passwords: passkeys.
If you’re like many people, you probably still use passwords to sign in to most of your websites and apps, most likely from multiple devices. This can translate into hundreds of passwords to remember, unless you use a password manager. With passkeys, instead of creating, managing, remembering, and entering passwords, you access your digital accounts the same way you unlock your device—usually with your face, fingerprint, or device PIN. More and more apps and services are adding support for passkeys; you can already use them to sign in to the most popular ones. Passkeys are so much easier and more secure than passwords that we predict passkeys will replace passwords almost entirely (and we hope this happens soon).
Starting today, you can use a passkey to access your Microsoft account using your face, fingerprint, or device PIN on Windows, Google, and Apple platforms. Your passkey gives you quick and easy access to the Microsoft services you use every day, and it will do a much better job than your password of protecting your account from malicious attacks.
Think of how many times and places you sign in with a password every single day. Is it 10? 50? Not only is this a frustrating experience, it’s also an unreliable way to protect a digital account. Here’s why: When you enter a password to sign in to an account, you’re essentially sharing a secret with the website or app to prove that you should have access to the account. The problem is that anyone who gets a hold of this secret can gain access to your account, and if your password gets compromised and appears on the dark web, the repercussions can be serious.
To make your credentials stronger, an app or website might require you to make your password longer or more complex. But even if you follow all the best practices for creating “strong” passwords, it’s still a trivial exercise for hackers to guess, steal, or trick you into revealing them.
What is phishing?
You may have experienced an attack yourself—you click on a link in an email that seems legitimate, which leads to a website that looks just like the one you’re used to, asking you to enter your credentials. But when you do, nothing happens, or you get an error message. By the time you notice that the URL in your browser address bar is different from the usual one, it’s too late. You’ve just been phished by a malicious website.
Many app and website providers understand that even complicated passwords aren’t good enough to protect your account, so they give you the choice to use two-step or multifactor authentication with approvals and codes sent to your phone, email, or an app. While traditional multifactor authentication can help protect your account, it’s not attacker-proof, and it creates another frustrating barrier between you and your content: all these access attempts, passwords, and codes on all your devices can really add up.
This is why we’re so enthusiastic about passkeys.
Passkeys work differently than passwords. Instead of a single, vulnerable secret, passkey access uses two unique keys, known as a cryptographic key pair. One key is stored safely on your device, guarded by your biometrics or PIN. The other key stays with the app or website for which you create the passkey. You need both parts of the key pair to sign in, just as you need both your key and the bank’s key to get into your safety deposit box.
Because this key pair combination is unique, your passkey will only work on the website or app you created it for, so you can’t be tricked into signing in to a malicious look-alike website. This is why we say that passkeys are “phishing-resistant.”
Even better, all the goodness and strength of cryptographic authentication stays behind the scenes. All you have to do to sign in is use your device unlock gesture: look into your device camera, press your finger on a fingerprint reader, or enter your PIN. Neither your biometric information nor your PIN ever leaves your device and they never get shared with the site or service you’re signing in to. Passkeys can also sync between your devices, so if you lose or upgrade your device, your passkeys will be ready and waiting for you when you set up your new one.
The best part about passkeys is that you’ll never need to worry about creating, forgetting, or resetting passwords ever again.
Creating a passkey for your Microsoft account is easy. On the device where you want to create the passkey, follow this link, and choose the face, fingerprint, PIN, or security key option. Then follow the instructions on your device.
To learn more about creating passkeys for your Microsoft account, visit this guide.
When you sign in to your Microsoft account, you can use your passkey by choosing Sign-in options and then selecting face, fingerprint, PIN, or security key. Your device will open a security window, and then you can use your passkey to sign in.
Figure 1. Signing in to your Microsoft account on mobile devices.
Today, you can use a passkey to sign in to Microsoft apps and websites, including Microsoft 365 and Copilot on desktop and mobile browsers. Support for signing into mobile versions of Microsoft applications using your passkey will follow in the coming weeks.
If you want to use passkeys to sign in to work-related apps and services, your admin can configure Microsoft Entra ID to accept passkeys hosted on a hardware security key or in the Microsoft Authenticator app installed on your mobile device.
In this era of AI, there’s unprecedented opportunity for creativity and productivity that empowers every person on the planet—including billions of Microsoft users who access services for work and life every day—to achieve more. Protecting and accessing your digital life doesn’t need to be a hassle, and you shouldn’t have to choose between simple access and safe access. Accessing your Microsoft account with a passkey lets you put the frustration of passwords and codes behind you, so you can focus on being creative and getting things done.
Happy World Password(less) Day!
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.
1Microsoft Password Guidance, Microsoft Identity Protection Team.
2Microsoft Entra expands into Security Service Edge and Azure AD becomes Microsoft Entra ID, Joy Chik. July 11, 2023.
3The passwordless future is here for your Microsoft account, Vasu Jakkal. September 15, 2021.
Microsoft is a leader in cybersecurity, and we embrace our responsibility to make the world a safer place.
Leave a Reply