Security Experts:

Connect with us

Hi, what are you looking for?


Endpoint Security

Microsoft Pushing for a Passwordless Windows 10

Microsoft wants to make its Windows platform passwordless and the latest Windows 10 release marks one step closer to that goal. 

Microsoft wants to make its Windows platform passwordless and the latest Windows 10 release marks one step closer to that goal. 

Passwords have been long said to represent a security issue in today’s always-connected world, especially given that many devices include either default or easy-to-guess credentials, and the industry is pushing toward alternatives

Multi-factor authentication has been around for a while and many consider it a viable option, especially if combined with strong, unique passwords. What Microsoft is seeking alternative authentication methods that could help users enjoy a passwordless login experience on Windows 10. 

The latest release of Windows 10, version 1903, allows users to add a passwordless phone number Microsoft account to Windows and to sign-in with the Microsoft Authenticator app. Moreover, there’s the Windows Hello certified as a FIDO2 authenticator for sign-in on the web, and a streamlined Windows Hello PIN recovery above the lock screen.

The tech giant now allows users to create a Microsoft account with just their phone number in mobile Office apps (Word, OneNote, or Outlook) on iOS or Android devices. This feature, the company says, unlocks all the benefits of a Microsoft account, but doesn’t require a password.

Users can go to Settings and add a passwordless phone number Microsoft account to their device, which then allows them to sign in for the first time with the Microsoft Authenticator app, or an SMS code, without a password. 

“This is enabled with an added web sign-in capability on the Windows lock screen. After that, Windows Hello is set up for an end-to-end passwordless experience,” Microsoft explains

The web sign-in capability can be used with any Microsoft account, even email ones, by simply adding a Microsoft account to Windows, signing in with the Microsoft Authenticator app, and setting up Windows Hello face, fingerprint, or PIN for later sign-ins. 

Starting with version 1903 of Windows 10, Windows Hello is a FIDO2 certified authenticator, FIDO Alliance announced last month, which means that any Windows Hello or FIDO2 compliant Microsoft-compatible security keys can now be used for sign-in to the web on Windows 10. 

The feature is already available in Mozilla Firefox version 66 and above, but is also expected to soon be included in Chromium-based browsers such as Microsoft Edge on Chromium. The capability will be available when signing in to a Microsoft account and other websites supporting FIDO authentication.

Now, it’s even easier for users to recover their Windows Hello PIN when they forget it, courtesy of a revamped “I forgot my PIN” experience above the Windows lock screen. Users can now use the Microsoft Authenticator app instead of a password to reset their PIN, Microsoft explains.

Related: Microsoft Removes Password-Expiration Policy in Windows 10

Related: Password Practices Still Poor, Google Says

Related: Support for FIDO2 Passwordless Authentication Added to Android

Related: Why Not Always Multi-Factor Authentication?

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Identity & Access

Strata Identity has raised $26 million in a Series B funding round led by Telstra Ventures, with additional investment from Forgepoint Capital, Innovating Capital,...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...


Identity and access governance vendor Saviynt has closed a $205 million financing round.