Microsoft has announced that users can now delete all passwords from their accounts, and instead sign in with an authenticator app or another solution.
The tech giant has made passwordless accounts available to corporate users of its products since last March.
This system is now made available to all Microsoft or Windows users.
The company said that “nearly 100 percent of our employees” are already using the new, more secure system for their corporate accounts
If passwordless sign-in is enabled, users who re-login to a Microsoft account will be required to give their fingerprint, or open another secure lock on their mobile phone.
This is much safer than using passwords that can be guessed or stolen, according to Microsoft.
“Only you can provide fingerprint authentication, or provide the right response on your mobile phone at the right time,” she said.
Windows users will still be able to use quick sign-in features like a PIN, though.
Some rare exceptions will still require passwords, such as Office 2010 and others.
If access to the authentication application is lost—for example, if the phone on which it is installed is lost, stolen, or forgotten by the user when updating—back-up options can be used, including Windows Hello facial recognition—which requires a compatible laptop or camera Private – and short message service (SMS) or e-mail codes.
Microsoft says security-conscious users who have two-factor authentication set up will need to access two different ways to recover accounts.
Professor Alan Woodward, who is part of a research team investigating passwordless authentication technology at Britain’s University of Surrey, described it as a “very bold move by Microsoft”.
“This is not just logging into computers, but logging into online services as well” – including important ones like cloud storage, he said.
Microsoft presented its motives for adopting the new system, in a series of posts.
“Passwords are incredibly inconvenient to create, remember, and manage across all accounts in our lives,” wrote Vasu Jakal, Microsoft’s vice president of security.
“We are expected to create complex and unique passwords, remember them, and change them frequently – but no one likes to do that,” she added.
Instead, people tend to create unsafe passwords in order to remember them easily, so they use duplicate formulas or the same password on multiple websites.
This led to hackers guessing it or revealing it in a data breach and reusing it.
Prof Woodward says Microsoft’s statements about password misuse are largely correct.
Passwords are an old concept, he added, and “now maybe it’s time to start looking for something different.”
But there are currently no agreed standards.
Professor Woodward said: “There are a number of different ways it could be done – and it would be good for everyone to come forward, really, and try to find a way to do it.”