A desire to replace the password as the world’s default authentication method has been circulating in the tech world for some time, but there have been almost no moves to force the issue to date. That has changed with Microsoft’s new passwordless policy for new accounts, though it is still far from the “death of the password.”
Anyone making a new Microsoft account from May 1 on will be prompted to choose a passwordless option by default. Passwords can still be selected as an option once in the account, and remain in place for those who already have pre-existing accounts, but all users are also given the new option to delete their password entirely and go solely with a passwordless choice.
Is passwordless ready for prime time?
Most of the major tech companies have been pushing passwordless tech for at least several years now, but there has also been broad acknowledgement that this will be resisted heavily by users and that it will probably take years and years of coaxing to shift away from traditional authentication (if it ever truly happens).
Microsoft is thus far being the most aggressive about pushing passwordless, with its primary focus being to get users to set passkeys as an alternative. These encrypted keys reside on the user device and are accessed via facial recognition, fingerprints or a PIN number. Using a PIN might not sound a whole lot more secure than a password, but it requires device access and strictly limits the number of attempts within a certain time frame.
The primary issue for passkeys thus far is that they are supposed to be simpler for the user, but at present are not due to a combination of each tech player pushing their own proprietary software and general compatibility issues across the entire field. The less technically inclined a user is, the more likely they are to reject passkeys and other options for being too unfamiliar and complicated.
Microsoft’s move doesn’t really address that issue. Right now its passwordless approach focuses on its own software ecosystem, pushing users to Microsoft Authenticator or Windows Hello as the source of their passkeys. There does not appear to be formal support for other popular authenticators. And if one wants to back up a passkey digitally the only option appears to be to a Microsoft email service, which still has a fallback of a traditional password. There is the option of using hardware like a YubiKey, but that adds an extra expense.
Microsoft makes the first coercive move
Google and Apple introduced their own passkey options in 2022, but thus far have not been nearly as forward as Microsoft about pushing them to users. It remains to be seen if this will become an industry standard move, and may depend on the general response to what Microsoft has done.
The cybersecurity world generally does support users moving away from passwords, due to frequent re-use of credentials and increasing aggressiveness and sophistication of password guessing. But finding a user-friendly alternative that appeals to the average person has been a real problem thus far. Password manager adoption is middling at best despite the average internet user now having dozens of (ideally) unique credentials to juggle. Even MFA tends to be a big ask, and adoption of strong anti-phishing methods has not been all that heartening either.
Microsoft’s push will be another interesting experiment in adoption and interest in passwordless methods, but it is very likely that the landscape will need to make huge improvements to interoperability and ease-of-use before the average person is willing to move away from the authentication habits they have become accustomed to.
