Microsoft has issued a security update for millions of Windows 10 users recommending that they delete their passwords. Not change their passwords; delete them. Completely. For good.
More than two years ago, I first wrote about Microsoft confirming the death of Windows 10 passwords here at Forbes. That intent to totally replace passwords as a method of secure account authentication, the way you log into your Microsoft account, has been a long time coming. But now it is finally here after Microsoft suddenly flipped the passwordless switch this week. And, dear reader, this isn't a case of just hiding your password from view and using Windows Hello facial recognition on a day-by-day basis either. This is getting rid of your password completely.
"You can now delete your password from your Microsoft account," Joy Chik, a corporate vice-president in Microsoft's identity division, confirmed, 15 September. This follows a similar announcement for commercial users in March and now extends a passwordless reality to all consumer users, including those with Windows 10 or 11.
Instead of using a password, once you've deleted it from your Microsoft account, you can simply use the Microsoft Authenticator app instead. When you sign in, a notification will appear on your smartphone and ask if it's you doing that, confirm, and you're in. It really is as secure and straightforward as that. You can, of course, also use Windows Hello, a hardware security key or even a one-time verification code sent by email or to your phone. The common denominator is the total lack of a password in the process.
Does this really mean the end of passwords for Windows 10 users?
This is important, not least because it's a departure from similar promises of a passwordless process where the password remains there as a failsafe backup and remains vulnerable to attack. So I reached out to Microsoft to check that this was the case and asked what the backup options were in this newly passwordless scenario.
"If a user loses access to the Microsoft Authenticator app for whatever reason," a Microsoft spokesperson told me, "they can still recover their account if they have access to their other verification options, such as an email or phone number." As standard, this would simply be one code, and you are back in. However, if the user enables two-step verification on the account, which is still possible and still recommended, then "they will need to provide codes sent to two different verification options."
You might have spotted a problem here if you are using the app on the same phone number as one of those other verification methods. Anyone getting access to your phone could potentially get your primary and secondary authentication details. As always, it's not quite that clear cut as things like biometric controls to get past the lockscreen and a PIN to unlock your sim card if the phone is reset also need to be taken into account here.
OK, that led me to ask about Windows specifically because not everyone uses a Microsoft account to sign in on their Windows platform; some prefer to use a local account instead. This could lead to the confusing situation whereby a user could go passwordless as far as their Microsoft account is concerned but still need a password (even if only in the background behind Windows Hello) for their Windows 10 or 11 access.
The Microsoft spokesperson confirmed that deleting the password from a Microsoft account will provide a "more secure, simple, and fast way to authenticate" and "completely remove your password from your Windows sign-in for added security."
To clarify, this means that Windows 10 or 11 users can take advantage of the improved security on offer without passwords, but they must be using the Microsoft account option to do so. "When you add your Microsoft Account to Windows, you just sign-in and go with access your favorite Microsoft products and services with just one login," the spokesperson says, adding "you can now go passwordless using Windows Hello, where you have the option to completely remove your password from your windows sign in for added security."
Microsoft recommends, therefore, that those users currently signing into Windows with a local account switch to using a Microsoft one instead, and there's a helpful guide to doing that.
Will you delete your Windows 10 password?
Most people within the cybersecurity community I have spoken with about Microsoft flicking this passwordless option switch agree it's a positive move towards more secure authentication for the average user. No, it isn't 100% secure but then nothing is. Even taking into account the physical separation of second-factors I mentioned earlier, and the reliance on your smartphone, it's still a win-win for most people, most of the time. That's becuase most people don't have unique, long, complex, random passwords for every account and use a password manager to, well, manage them. That said, if you do, then there's no real rush to dump your password access route to be honest.
The problem, though, is ensuring those users who would benefit both know the option is available and encouraging them to take it.
"Removing a password has been the challenge in technology since accounts were first hacked, so this might be the closest thing yet to combat it," Straight Talking Cyber video guest this week, and a cyber security specialist at ESET, Jake Moore, says. "Even when attempting to teach people not to reuse passwords, people have tended to form bad habits with their cyber security, and threat actors in multiple cyberattacks have inevitably abused this."
This passwordless development marks the next step in helping make people more aware of their cyber hygiene, Moore says, "but until it is forced, those who illustrate bad habits using poorly constructed passwords may not partake in the feature and could stay unprotected and attached to their reused password."
Maybe Microsoft needs to take a leaf out of the Google book, which recently announced it would become mandatory for YouTube creators that monetize their channels to use two-step verification. Yes, I know this isn't the same as getting rid of passwords, but by forcing the change on users it also dramatically improves their security posture and helps protect them from attack.
Leaving the decision to the user sounds like the right thing to do, of course, but as is the case in the take up of password manager usage (which most everyone agrees is a simple way to improve password security), we know most people won't bother.
"Less reliance on passwords will dramatically help in the future, and it adds a layer of defence which has been the first line of attack in many circumstances," Moore says, concluding, "as more people adopt the idea and start to trust it, this might quickly take off leaving password abuse, such as credential stuffing, a thing of the past."
A step-by-step illustrated guide to deleting your Microsoft account password
Step One: From your Microsoft account security settings, click on 'advanced security options' and then click on 'turn on' passwordless.
From your Microsoft account security settings, click on 'advanced security options' and then click ... [+]
Step Two: Click next, and approve the notification on your smartphone Microsoft Authenticator app.
Make sure you have the Microsoft Authenticator app installed on your phone and click next
When the notification appears on your smartphone, click approve to continue
Step Three: You'll then be notified that the removal of your password was successful, including an email to that effect.
Congratulations, your account is now passwordless and more secure
