Most people are horrible at creating strong passwords. In response, Microsoft has decided to go passwordless by default for new accounts; instead, they suggest users to rely on passkeys, push notifications, and security keys instead.
Although current accounts won’t have to shed their passwords, new ones will try and leave them behind by not prompting you to create a password at all:
As part of this simplified UX, we’re changing the default behavior for new accounts. Brand new Microsoft accounts will now be “passwordless by default.” New users will have several passwordless options for signing into their account and they’ll never need to enroll a password. Existing users can visit their account settings to delete their password.
With today’s changes, Microsoft is renaming “World Password Day” to “World Passkey Day” instead and pledges to continue its work implementing passkeys over the coming year. This time last year, the company implemented passkeys into consumer accounts. Microsoft says it’s seeing “nearly a million passkeys registered every day,” and that passkey users have a 98 percent success rate of signing in versus 32 percent for password-based accounts.
Personally, I am conflicted over this change. Passkeys can improve the baseline security of the average population, especially as more people adopt MFA. However, most Microsoft users will most likely use biometric authentication for the device associated with the account. This could have some drawbacks for threat models involving physical access to a device, but could reduce the harmful effects of data breaches.
Anyways, I am curious to see what everyone else thinks about this issue! A good workaround could be leaving a yubikey inside a safe somewhere.
If there is no easy cross functionality and ease of use with easy import and export of passkeys from all the authentications apps including password manager and OS level passkey storage, this will lead to lock ins like Authy and would in the long term be more detrimental to the user.
I tend to agree but I will say setting new users up with passkeys (even if you are stuck with Microsoft’s Authenticator) for using outlook on mobile has been a huge time saver at work. Even if my company didn’t care about security at all, it would be a massive hit to our insurance if we did not have certain measures in place. This has taken a lot of headache out of users having to re-authenticate, including the CEO, on a regular basis when not being on the corporate network.
Passkeys don’t have to be biometric they can also be a PIN, should be configurable by the user whether they want to set up biometrics or not. Not sure how they’re doing it but passkeys don’t force you to use one or the other you can pick.
That sign in success rate differential is crazy though, I can personally attest to having much more luck with my family members dealing with their accounts using passkeys than passwords. We hopefully will see more services defaulting to them.
I am also quite skeptical about this implementation of passkeys. Most people who use MFA do it via SMS not U2F or an authentication app. And even if they opt for the latter two, many popular online services will not let you enable MFA via U2F or authentication app if you don’t give them your phone number first. That includes Google and Twitter, and most email providers. So there is clearly a privacy issue because of that requirement but also with biometric authentication.
I also think there’s a cost / digital divide issue. I don’t know if most people have a passkey compatible device, but I don’t. Moreover, if one were to opt for a YubiKey, that can be expensive.
One could argue that getting one YubiKey is not expensive. But if you are security conscious, you know you are going to need more than one in case you lose your default YubiKey. I personally would argue that you’d need at least 3. This is when it becomes quite expensive, and most people are not going to go through that trouble either because of the cost, or out of laziness.