- Microsoft is strongly betting on a future without passwords
- It is not necessary to remember passwords and they are more secure
- Redmond details his journey on the journey of the access key
Passwords are no longer good enough, Microsoft said, signaling a shift toward more secure and easier-to-use alternatives.
“At Microsoft, we block 7,000 password attacks per second, almost double what we did a year ago. At the same time, we have seen middle-adversary phishing attacks increase 146% year over year,” the company said in a new blog post.
“Fortunately, we’ve never had a better solution to these widespread attacks: passcodes.”
It’s time to address access codes
Passkeys are a more secure alternative to passwords, as your private encryption key is only stored on a local device, such as your phone, and not on leaky servers that can be attacked. There’s no need to enter passcodes on a website either – simply verifying your identity using a biometric authentication app that scans your face or a fingerprint will allow you to access your account.
This also makes them resistant to phishing, as an attacker would not only need your personal device to log in, but also your physical form to pass authentication. As an added bonus, you don’t have to worry about forgetting a passcode since it’s not stored in your brain and doesn’t need to be written down or stored in a password manager.
Over the past year, Microsoft has ramped up the rollout of passcodes across its platforms, and in May 2024, passcode support was added to Xbox, Microsoft 365, and Microsoft Copilot.
The slow rollout allowed users to become familiar with the option to log in with a passkey or, as shown on the login page, “face, fingerprint, or PIN,” which users were more familiar with.
After this, Microsoft began “pushing” users to adopt passcodes at important points in the user experience, such as at account creation, after login, and when resetting passwords.
Experiments were also conducted with messaging, and Microsoft found that saying that passwords are “more secure” and “faster” generated a click-through rate of 24% and 27% respectively. Additionally, Microsoft did not allow users to opt out of using the passkey by making the button say “Skip for now.”
Microsoft then moved to remove friction from the sign-in experience by defaulting to using passkey authentication if available as a sign-in method, eliminating the need for users to remember passwords and type them down.
As for the future, Microsoft aims to phase out passwords and introduce a completely passwordless login experience using only phishing-resistant credentials.
However, there’s still a long way to go until then, including introducing passcodes as defaults, phasing out passwords, and eventually discontinuing password support altogether, so prepare for a password-free future.
