Microsoft to Transition from Password-Based Access to Access Keys Beginning August 1
Microsoft is making a significant shift in its authentication methods, encouraging users to transition away from traditional passwords towards more secure alternatives. Starting from August 1, users will need to set up new methods for logging into their accounts.
The company has already banned the addition of new passwords to its Authenticator app, a move that signifies Microsoft's commitment to promoting passwordless authentication. This change will affect users who currently rely on the app for password storage. However, rest assured that your existing passwords saved in the Edge browser will still be accessible.
Security experts, including those at CNET, advocate for security keys as a more effective alternative to passwords. These keys, when combined with access keys, PIN codes, graphical keys, and biometric login methods, can provide stronger security, especially in multifactor authentication (MFA) setups.
MFA leverages multiple factors for authentication: something you know (like a password or PIN), something you have (a trusted device or security key), and something you are (biometrics like fingerprint or face scan). By incorporating these additional factors, the risk from weak or compromised passwords is significantly reduced, as attackers would need to obtain or replicate the additional factor, which is usually much harder than stealing a password alone.
For Microsoft accounts, access keys and PIN codes tied to a device offer security benefits because the PIN is device-specific and not transmitted over the network. Biometric methods, such as fingerprint or face recognition, leverage unique physical traits, making them difficult to steal or replicate, thereby increasing security while improving convenience. Graphical keys, while not currently mainstream for Microsoft accounts, can serve as an alternative authentication factor.
The Microsoft Authenticator app supports a passwordless sign-in experience, where users approve a sign-in request by matching codes and providing biometric or PIN confirmation on their device. This active user verification during authentication makes the login process more secure than password-only login or simple MFA approvals.
Traditional passwords remain vulnerable to various attacks, such as reuse, phishing, keylogging, and credential stuffing. By moving towards passwordless authentication and MFA using access keys, PINs, graphical keys, and biometrics, Microsoft aims to promote methods that are less susceptible to these threats.
A recent CNET survey revealed that a significant number of internet users use easy-to-guess passwords and that the same password is often used for multiple accounts. Starting August 1, Microsoft will delete saved user passwords in the Authenticator app, pushing users to switch to access keys or alternative login methods such as PIN codes, graphical keys, or biometrics (fingerprint or face scanning).
In summary, passwordless authentication and MFA using access keys, PINs, graphical keys, and biometrics offer better protection for Microsoft accounts than traditional passwords alone due to factors that are harder to steal or replicate and active user involvement during authentication. Users are strongly encouraged to adopt these methods for enhanced security.
[1] CNET. (2021). Microsoft's passwordless sign-in: What it means for you. [online] Available at: https://www.cnet.com/how-to/microsofts-passwordless-sign-in-what-it-means-for-you/
[2] Microsoft Tech Community. (2021). What's new with Microsoft Authenticator? [online] Available at: https://techcommunity.microsoft.com/t5/microsoft-authenticator/whats-new-with-microsoft-authenticator/ba-p/1965222
[3] Microsoft. (2021). Microsoft Account Security. [online] Available at: https://account.microsoft.com/account/security
[4] Microsoft. (2021). Microsoft Authenticator. [online] Available at: https://www.microsoft.com/en-us/authenticator
- Microsoft's transition away from traditional passwords towards more secure alternatives, such as security keys and biometric login methods, is a significant step towards promoting passwordless authentication.
- As users transition to passwordless authentication, they should consider using access keys, PIN codes, graphical keys, or biometrics for their Microsoft accounts, as these methods offer better protection and are less susceptible to various attacks like phishing and keylogging.
