Security news that informs and inspires

Windows 10 Moves Closer to a Password-less World

By

Microsoft has been working towards a passwordless world and its latest Windows 10 release features more ways for users to sign in without using passwords.

The latest release of Windows 10, version 1903 (the “May 2019 Update”), gives users the ability to create a Microsoft account with just a phone number, to sign into Windows for the first time with the Microsoft Authenticator, and to sign into web applications using FIDO2-certified authenticator Windows Hello, Microsoft said. There is also a streamlined recovery process for Windows Hello PIN.

Users can create a Microsoft account with just their phone number when using the mobile version of the Office apps (Word, OneNote, and Outlook) on iOS and Android devices. The account based on the phone number has all the benefits of a traditional Microsoft account, but doesn’t require a password.

"A passwordless phone number Microsoft account is exactly what it sounds like – a Microsoft account that can be created with just your phone number in mobile Office apps like Word, OneNote, or Outlook on your iOS or Android device," wrote Anastasiya Tarnouskaya, a program manager at Microsoft.

There is also a new web sign-in interface to the Windows lock screen. Users can add passwordless phone number Microsoft accounts for other people into the Accounts section of the Settings app and give them access to the device. These people would sign in by typing in either the phone number or email account associated with the passwordless account and use the Microsoft Authenticator mobile app to complete the process. The user has to pass a number-based challenge, where the user has to tap in the digits displayed on the desktop sign-in page on the mobile device.

In these cases, the phone number is the unique identifier, but the verification is happening because the user is making the request—using the Office app or using Microsoft Authenticator—from the recognized mobile device.

The web sign-in capability can be used with any Microsoft account—email included—as long as the account is added to Windows and Microsoft Authenticator app is used to sign in for the first time. Once Windows Hello—face, fingerprint, or PIN—is configured for subsequent logins, it becomes an “end-to-end passwordless experience,” Microsoft said.

Windows 10 1903 supports the WebAuthentication standard (WebAuthn) for signing in to websites using biometric readers on devices. Windows Hello became a certified FIDO2 authenticator last fall, and already lets users sign into Microsoft accounts with security keys. With this Windows 10 release, it would be possible to use Windows Hello or compatible security keys to sign in to the web on Windows 10 using Mozilla Firefox. Support for Microsoft Edge on Chromium is on the way.

One key thing to remember is that a password-less world doesn’t actually mean a world with no passwords. There will be passwords for connecting to wireless networks, and to access various services and applications. If nothing else, there has to be a password to act as a backup authentication mechanism when biometrics fail.

Reducing passwords within Windows 10 just helps users streamline how they access some of their necessary systems and services. Anyone who would prefer to stick with passwords can, provided they layer on other mechanisms, such as turning on two-factor authentication, to protect their accounts from password theft.