Microsoft hasn’t quite killed off the password and probably never will. But it’s claiming that the just-released Windows 10 version 1903 or the May 2019 Update makes significant inroads to creating a ‘passwordless’ experience for users.
Microsoft wants to make Windows 10 a password-free platform and has highlighted the tools it has made available so that users can set up and log in to accounts without ever having to create and remember a password.
These tools include adding a passwordless phone number Microsoft account to Windows; using the Microsoft Authenticator app to sign in to Windows for the first time; using Windows Hello to sign in to apps on the web; and a new Windows Hello PIN recovery procedure.
The catch with introducing so many new alternatives to passwords – which everyone knows how to use – is that users will need to be taught how to use them. After all, what is a ‘passwordless phone Microsoft account’, anyway? At the same time, Microsoft like all service providers does not want to create obstacles to signing in to an account and using a product.
“A passwordless phone number Microsoft account is exactly what it sounds like – a Microsoft account that can be created with just your phone number in mobile Office apps like Word, OneNote, or Outlook on your iOS or Android device,” explains Anastasiya Tarnouskaya, a program manager at Microsoft.
More accurately, it doesn’t require a password to create an account but rather relies on users providing an email address or phone number when creating a Microsoft account, for example, to use the Word mobile app on an iOS or Android device.
Windows Hello is Microsoft’s Windows 10 biometric authentication system, which offers users either fingerprint or face authentication using sensors on the device.
With Windows 10 1903, users can go to the Settings app in Windows and add a passwordless phone number Microsoft account to the device. This allows families to add members to a specific device and, from there, use the Microsoft Authenticator mobile app, or an SMS code, to sign in for the first time. Again, no passwords are involved in this process.
To make this happen, Microsoft has introduced a web sign-in interface to the Windows lock screen. In the Accounts section of the Settings app, users can select the ‘Family & other users’ section to add other users.
When family members need to sign in to the device, they would type in their phone number or email account to log in to an account. The person can use the Microsoft Authenticator mobile app to pass a number-based challenge, where two digits are displayed on the desktop sign-in page, and the user needs to pick the matching number that’s displayed on their mobile device.
Windows 10 1903 also introduces the highest level of support for the WebAuthentication standard (WebAuthn) for signing in to websites using biometric readers on devices. Windows Hello already lets users sign in to a Microsoft account with security keys. More recently, Windows Hello in Windows 10 1903 became officially certified as an FIDO2 ‘authenticator’.
Finally, Microsoft has rolled out a new recovery procedure for users who forget their Windows Hello PIN.
Microsoft, Apple, Google, and other major identity providers have made progress in the collective goal of removing passwords from many authentication scenarios. But no company has managed to kill passwords entirely.
Security expert Troy Hunt, who launched – and may soon sell – the popular Haveibeenpwned data-breach alert service, recently pointed out that there is no password killer.
Even with biometric authentication on phones and Windows 10 laptops, users are still being required to employ passwords. iPhone users with FaceID, for example, still need a password to connect to a Wi-Fi network, and still need their AppleID password to restore a backup from iCloud, and also at least a passcode when biometrics fail.
Likewise, Windows 10 isn’t quite truly passwordless, but Microsoft has made Windows 10 into a platform where users can employ alternatives to passwords in many more circumstances than previously.