Microsoft Accounts Go Passwordless By Allowing App-Based Login

Passwordless Microsoft

What differentiate a privileged user and an unprivileged user, is the former knowing the username-password combination of an account.

Without knowing the login credentials, no one should enter, or have access to an online account. Much later, it was then realized that remembering username-password combination can be choir. And this true in the modern days of computing and internet, where people can have too many online accounts to remember.

This is why passwordless login systems are introduced.

Using biometrics for example, users can use their fingerprint or their face, to login into their accounts.

But always, username-password combination is still needed as backup. Like for example, when they cannot login using their biometric identity.

Microsoft goes a step further than that, as it boldly said in a blog post that users can "completely remove the password from your Microsoft account."

To totally replace username-password, Microsoft allows users to shift to the passwordless method using Microsoft Authenticator app or other solution.

When passwordless login is enabled, users re-logging in to a Microsoft account will be asked to give their fingerprint, or other secure unlock, on their mobile phone.

"Only you can provide fingerprint authentication or provide the right response on your mobile at the right time," it said.

So what if they cannot login with their biometrics, like if the authenticator app cannot be accessed because the phone is lost or stolen?

Password or PIN can be used.

But if they want to totally ditch password, they can use Windows Hello facial recognition, which requires a compatible laptop or special camera. Or, users can use a physical security key, which must be used on the device logging in. Other options include Short Message Service (SMS) or email codes.

It should be noted that the last two options are the least recommended, as they are the least secured, and known as the most common methods hackers intercept when attempting to hack someone's account.

It's only in some rare exceptions that Microsoft still requires passwords, like on Office 2010, Xbox 360 consoles, and Windows 8.1 or earlier machines.

To make the passwordless login more secure, Microsoft said that security-conscious users who have two-factor authentication set up, will need to have access to two different recovery methods.

The issues with passwords. (Credit: Microsoft)

"Passwords are incredibly inconvenient to create, remember, and manage across all the accounts in our lives," said Microsoft's Vice President of Security, Vasu Jakkal. "We are expected to create complex and unique passwords, remember them, and change them frequently - but nobody likes doing that."

Microsoft initially made passwordless logins available for Microsoft accounts for business users only in March. This time, the company is making it available to all Microsoft and Windows users.

Microsoft said that "nearly 100% of our employees" were already using the new, more secure system for their corporate accounts.

This move is certainly a welcome move for those who wish to have a better experience by eliminating the restrictions of having to remember login credentials. However, this move is bold, and can be very risky if not done properly. This is because the passwordless login for Microsoft account is not just about logging in to PCs, but it's also logging in to online services as well. And this can include access to sensitive data, like files stored inside the clouds.

But Microsoft's arguments said that passwords are often stolen, or forgotten. What's more, many people use weak passwords, and reuse their passwords for different accounts.

And hackers who breach into online accounts, don't break in. Instead, they log in.

The new passwordless feature greets users with a box saying that "a passwordless account reduces the risk of phishing and password attacks."

"You have increased the security of your account and improved your sign-in experience by removing your password," the notification adds after the feature is set up.