It’s time to ditch the passwords. Last week Microsoft announced that they are ditching the password when it comes to logging into consumer-facing Microsoft accounts. Passwords continue to be the primary vector of attack for cyber criminals and Microsoft’s approach is to remove them completely.

Rather than juggle multiple passwords and logins, users will now be able to use the Authenticator app, Windows Hello, a security key or request a texted or e-mailed verification code to access their accounts. This will work to access a user’s overall account and popular Microsoft apps and services, including Microsoft OneDrive, Outlook and more. The company said that users can remove their passwords starting Wednesday, with app and service integration rolling out “over the coming weeks.”

The problem with passwords

In a blog post announcing the change, Vassu Jakkal, corporate vice president of Security, Compliance and Identity at Microsoft said:

‘Passwords are a prime target for attack. We are expected to create complex and unique passwords, remember them, and change them frequently, but nobody likes doing that either.

Weak passwords are the entry point for the majority of attacks across enterprise and consumer accounts. There are a whopping 579 password attacks every second—that’s 18 billion every year.’

Coupled with many reasons, this has been one of the main drivers for the change.

How it will work

While there are multiple options for logging in, decoupling the password from an account will require the Windows Authenticator app. Once the change is officially rolled out, users will be prompted to approve a notification in their Authenticator app before their password is removed. Or, if a user doesn’t have an Authenticator app set up, they will be guided through the setup process before removing the password.

Microsoft confirms that the password won’t just be hidden, but completely removed. In an e-mailed response, a Microsoft spokesperson assured there will be no way to retrieve the unused password.

It’s important to note that once password authentication is removed from a Windows account, users will still have the option to revert back to a password for login.

While the company has given users options for replacement, how Microsoft accomplishes this, like the public key-private key structure found in Azure Active Directory to remove passwords, is not clear. Last week’s move will not affect enterprise users greatly, as the ability to even create a Microsoft account on a company domain was phased out in 2016.

What this is aimed at is alleviating the growing threat from attacks due to weak passwords. Microsoft said that there is an average of 579 password attacks a second, for a yearly annual number of 18 billion. Removing the human element in account security should drastically bring down compromised account threats.

The change means that the human element for passwords will be removed with a four-step approach:

  • Deploy password replacement offerings.
  • Reduce user-visible password surface area.
  • Transition to passwordless deployment.
  • Eliminate passwords from identity directory.

If you’d like to learn more about this change, you can read the full release here. Or if you’d like to find out more about Microsoft Security solutions contact our team.