Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

Microsoft Pushing for a Passwordless Windows 10

Microsoft wants to make its Windows platform passwordless and the latest Windows 10 release marks one step closer to that goal. 

Microsoft wants to make its Windows platform passwordless and the latest Windows 10 release marks one step closer to that goal. 

Passwords have been long said to represent a security issue in today’s always-connected world, especially given that many devices include either default or easy-to-guess credentials, and the industry is pushing toward alternatives

Multi-factor authentication has been around for a while and many consider it a viable option, especially if combined with strong, unique passwords. What Microsoft is seeking alternative authentication methods that could help users enjoy a passwordless login experience on Windows 10. 

The latest release of Windows 10, version 1903, allows users to add a passwordless phone number Microsoft account to Windows and to sign-in with the Microsoft Authenticator app. Moreover, there’s the Windows Hello certified as a FIDO2 authenticator for sign-in on the web, and a streamlined Windows Hello PIN recovery above the lock screen.

The tech giant now allows users to create a Microsoft account with just their phone number in mobile Office apps (Word, OneNote, or Outlook) on iOS or Android devices. This feature, the company says, unlocks all the benefits of a Microsoft account, but doesn’t require a password.

Users can go to Settings and add a passwordless phone number Microsoft account to their device, which then allows them to sign in for the first time with the Microsoft Authenticator app, or an SMS code, without a password. 

“This is enabled with an added web sign-in capability on the Windows lock screen. After that, Windows Hello is set up for an end-to-end passwordless experience,” Microsoft explains

The web sign-in capability can be used with any Microsoft account, even email ones, by simply adding a Microsoft account to Windows, signing in with the Microsoft Authenticator app, and setting up Windows Hello face, fingerprint, or PIN for later sign-ins. 

Advertisement. Scroll to continue reading.

Starting with version 1903 of Windows 10, Windows Hello is a FIDO2 certified authenticator, FIDO Alliance announced last month, which means that any Windows Hello or FIDO2 compliant Microsoft-compatible security keys can now be used for sign-in to the web on Windows 10. 

The feature is already available in Mozilla Firefox version 66 and above, but is also expected to soon be included in Chromium-based browsers such as Microsoft Edge on Chromium. The capability will be available when signing in to a Microsoft account and other websites supporting FIDO authentication.

Now, it’s even easier for users to recover their Windows Hello PIN when they forget it, courtesy of a revamped “I forgot my PIN” experience above the Windows lock screen. Users can now use the Microsoft Authenticator app instead of a password to reset their PIN, Microsoft explains.

Related: Microsoft Removes Password-Expiration Policy in Windows 10

Related: Password Practices Still Poor, Google Says

Related: Support for FIDO2 Passwordless Authentication Added to Android

Related: Why Not Always Multi-Factor Authentication?

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Funding/M&A

The private equity firm merges the newly acquired ForgeRock with Ping Identity, combining two of the biggest names in enterprise IAM market.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...