Microsoft Now Offers the Option to (Mostly) Ditch Your Password
As of today, Microsoft is offering people the option to remove passwords from their Microsoft accounts, provided you don’t use certain features or applications on a regular basis.
“For the past couple of years, we’ve been saying that the future is passwordless, and today I am excited to announce the next step in that vision,” writes Vasu Jakkal, Corporate VP of Security, Compliance, and Identity for Microsoft. “Beginning today, you can now completely remove the password from your Microsoft account. Use the Microsoft Authenticator app, Windows Hello, a security key, or a verification code sent to your phone or email to sign in to your favorite apps and services, such as Microsoft Outlook, Microsoft OneDrive, Microsoft Family Safety, and more.”
The rest of the post focuses on Microsoft’s sales pitch for getting rid of passwords. Passwords are annoying, to be sure. Many people aren’t good at them, as evidenced by the fact that passwords like “password123” and “abcdefg” still frequently show up on leaked lists (unless otherwise prevented by password policies). Tell people to add numbers and special characters, and you can bet “p4ssw0rd!23” will show up on the list.
Microsoft is not wrong when it points out the flaws and shortcomings of existing password systems, but there are some caveats to its plans as well. There are some practical restrictions on who can use this capability. Microsoft indicates you must continue using a password if you use any of the following services:
- Xbox 360
- Office 2010 or earlier
- Office for Mac 2011 or earlier
- Products and services which use IMAP and POP email services
- Windows 8.1, Windows 7 or earlier
- Some Windows features including Remote Desktop and Credential Manager
- Some command line and task scheduler services.
Microsoft notes that losing access to the Microsoft authenticator will still allow you to access your Microsoft account, provided you have defined an account recovery method (said account is, presumably, still protected by a password). If you have two-step verification enabled, the company adds, you will need to define two recovery methods.
Some of the secondary authentication methods Microsoft supports, such as SMS and email, are either subject to security flaws on their own or may still depend on the security of your email password. It’s also true that facial recognition systems like Windows Hello have been bypassed in the past, most recently a few months ago. The amount of work required to fool biometric authentication systems has generally increased in recent years, making them somewhat better options than they were in the past. But such systems are not foolproof, either.
Even so, Microsoft is probably correct that such methods are, at the least, under far less attack than passwords themselves.
Readers concerned about moving away from passwords from a civil liberties perspective should be aware that biometric authentication is not necessarily protected in the same manner as passwords. A password is unambiguously “something you know,” and as such, you can assert a 5th Amendment right against personal self-incrimination if asked to provide one. Biometrics like your face and fingerprint are considered to be “something you are,” and case rulings on whether they can be gathered without consent have gone opposite directions without the Supreme Court ruling on the issue. Password cracking and identity theft are more likely to be practical issues for the vast majority of readers, but if you are concerned about legal questions, biometrics are not as protected as passwords.
Whether that’s of much practical value in an era where law enforcement also has access to cracking software from various security firms is a different question. Microsoft’s FAQ has more details on the topic for those who want more information.