I am excited to see that Microsoft has moved towards setting up a complete passwordless Microsoft account. This is what Microsoft is calling the future of passwordless. Earlier in March 2021, when Microsoft announced the passwordless authentication, it was limited to organizations only to rollout the passwordless authentication in hybrid environments such as Azure integrated with on-premises Active Directory.
However, now it is available for all users who are using Microsoft account when logging on to Windows 10 / windows 11 devices, you can completely go passwordless by using one or more of the login methods provided by Microsoft:
- Microsoft Authenticator app – application installed on your device which is used to authenticate the request for login request.
- Windows Hello – Lets you sign in using biometrics with your face, iris scan, fingerprint or PIN
- Security key – FIDO2 security keys method which uses public/private-key credentials.
- Verification code to mobile phone – getting notification/code on phone through SMS
- Verification code to email – getting notification/code on email ID.
Why do we need to implement passwordless
This might comes in mind that why we actually need this. Going passwordless is a perfect combination of conveniency + High Security.
If we look into the below quadrant, we have to make a balance between Inconvenient/ Convenient & Low Security / High Security. Going with Password + Two Factor Authentication which is also known as Multi-factor authentication (MFA) increases the complexity by adding another layer of authentication. Hence, MFA provides high security but makes the process inconvenient for users.
Passwordless Authentication on other hand is not only Convenient but also provides high Security. We might need to break the barrier in terms of old school thinking of going with passwordless technology.
Guessing the passwords by hackers is more easy, and while keep on remembering this passwords for you is less convenient, and when any attack happens, you might get alert for changing the password, but again who can remember a new password, until another attack happens and again you have to change it. Hence, there will be a time, you might not able to keep the track of your password changes until unless you are not using any Password management software such as 1password, LastPass, Dashlane etc.
Benefits of going password-less
Going passwordless gives you the flexibility to login on any devices by using different login methods, lets say going with passwordless using Microsoft Authenticator app which generates a software token and allows you authenticate the login by simply clicking on Allow / deny and having code displayed at both ends (on device & Authenticator app) to verify.
This means, if someone gets physical access to your device, attacker might not get access to your profile until unless having access to additional layer of device.
You don’t have to remember the password or save it somewhere. Login will be pretty much fast and it also gives you flexibility to reset or recover the login details using recovery password in case you loose your device.
Let’s start the process to go passwordless with your Microsoft account. To remove the password, you need to download and install Microsoft Authenticator app on your mobile phone (Android or Apple) which can be downloaded through Google Play or App Store
Click on Security, we need to make sure Two-step verification is set to ON, if not we have to take care of this.
On Security > Security basics page, click on Advanced security options.
Click on Manage, to enable Two-step verification.
On Set up two-step verification page, click Next.
If you haven’t installed and set up Microsoft Authenticator app, you will be prompted to do the same.
Once done, you will see the message Two-step verification is turned on with 25 digit recovery code. It is always recommended to save this key by click on print code and can save in pdf file / printout or take a picture as this will be very useful in case you are stuck logging on if none of your device is with you and can’t access anything.
You will be prompted to set up your smart phone with an app password, click Next.
Some of the applications may work without app password, but some may still require, click on Finish. We can generate app password later, I will show you.
You are back to Security page, Two-step verification is ON now.
Under Way to prove who you are, we can see Send sign-on notification is now added which represents Microsoft Authenticator app is configured. Passwordless account is showing as OFF
We could have used Add a new way to sign in or verify also to achieve the same, we have to click on Use an app to proceed in this case.
On Additional security, under Passwordless account, click on Turn on.
Set up your passwordless account windows will appear, click Next to remove the password.
And here you go, with message Password removed, click Done
We can see the passwordless account is set to on. App passwords is the place where you can generate an app password if password is required any time.
You may also click on Recovery code to generate a new code if you wanted to re-generate the code again in case you have misplaced the previous one or changed the security settings.
Next time when you login to Microsoft account, device will show you Check Microsoft Authenticator with specific 2 digits, which means you need to open your mobile phone, and a push notification would have received you to approve the request with few combination of 2 digit number. Make sure it matches, in my case it is 54, hence only select 54 on mobile device and approve it.
In case you don’t have Microsoft Authenticator app / mobile phone with you. You can click on I don’t have access to my Microsoft Authenticator app.
Which will take you to other ways to prove that its you such as emailing a code, text a code. Or you can also have option to specify recovery code.
You can see going password-less brings so many benefits. Keeping your account safe at the same time ease of convenience of logging into your devices with so many different kinds of security methods. In case you are missing a device such as authenticator app, no worries we have option to specify alternate email id (which should be different than the current one), text a code or recovery code.