Microsoft says new accounts will be passwordless by default

Microsoft seems to be betting big on the passwordless future. The company announced yesterday that all new Microsoft accounts will now be “passwordless by default.” Users creating accounts will no longer need to create or remember traditional passwords, instead relying on more secure authentication methods like passkeys, biometrics, or security keys.

This shift comes as part of Microsoft’s participation in the first-ever “World Passkey Day,” which replaces the previously observed “World Password Day.” The company, along with dozens of other organizations, has taken the “Passkey Pledge” to accelerate implementation and adoption of passkeys over the coming year.

The tech giant has observed promising results since introducing passkey support for consumer apps and services last year. Nearly one million passkeys are being registered daily, with impressive success rates. Users signing in with passkeys are three times more successful at accessing their accounts compared to password users – about 98% versus just 32%. Microsoft also notes that passkey sign-ins are eight times faster than traditional password and multi-factor authentication methods.

This move isn’t surprising given the alarming rise in password-based cyberattacks. According to Microsoft, last year saw a staggering 7,000 password attacks per second, more than double the rate from 2023. Adding to that, as highlighted by ArsTechnica, an entire cottage industry has formed around phishing attacks that bypass common forms of MFA through “adversary in the middle” techniques.

These attacks can defeat one-time passcodes sent via text or authentication apps, as well as push notifications. The report highlights that WebAuthn-based solutions like passkeys offer superior protection against these threats since they’re cryptographically bound to specific URLs and user devices, making them highly resistant to sophisticated phishing attempts.

This is also why the Microsoft has launched a redesigned sign-in experience with a new visual style that simplifies both sign-in and sign-up processes. The modernized design prioritizes passwordless methods and automatically detects the best available authentication method for each account.

While new accounts will be passwordless by default, existing users aren’t left behind. Current account holders can visit their account settings to delete their passwords if they wish to go fully passwordless.

Microsoft’s journey toward passwordless authentication began a decade ago with the introduction of Windows Hello, which allowed users to sign in using facial recognition, fingerprints, or PINs. Today, over 99% of people signing into Windows devices with Microsoft accounts use Windows Hello.

The company notes that according to the FIDO Alliance, more than 15 billion user accounts worldwide can now sign in using passkeys instead of passwords. For those interested in creating passkeys for their MSFT accounts, head over to this link.