Microsoft just enabled password-free logins for all users — how to set it up

Microsoft just enabled countersign-gratuitous logins for all users — how to fix it up

A Microsoft account sign-in prompt on a smartphone.

(Epitome credit: Tada Images/Shutterstock)

After years of promising to kill the password, Microsoft is finally delivering.

You'll now be able to completely abolish the password for your personal Microsoft business relationship (schoolhouse and piece of work accounts won't work) equally long equally you lot are running a recent version of Windows 10 or 11 and have at least two other verification factors.

Every Mac can be hacked past this new flaw, and there's no ready yet
The best password managers to protect all your accounts
Plus: How to sentinel Foundation online for free

These include the Microsoft Authenticator smartphone app, which is required. The others can be a Windows Hullo biometric credential (i.east. your confront or a fingerprint), a hardware security key, or a old passcode sent to you lot via text message or email.

Passwordless login for your Microsoft account should work with nearly of the Microsoft universe, including Edge, Office365, OneDrive, Outlook.com, Skype, Teams and Xbox Live.

However, it won't work on older devices and operating systems, including Windows seven, Windows viii.1 or even Windows 10 upwardly to version 1809; Office 2010, or Role 2011 for Mac; Xbox 360; Windows Phone 8; and the Remote Desktop protocol. For some of these, yous'll be able to ready Microsoft device-specific app passwords.

Why Microsoft is making this change

"Weak passwords are the entry signal for the majority of attacks across enterprise and consumer accounts," wrote Vasu Jakkal, Microsoft's corporate vice-president of security, in a visitor blog post yesterday (Sept. 15). "In that location are a whopping 579 password attacks every 2d — that'south xviii billion every year."

More than 17 years subsequently Bill Gates famously predicted the death of the password, Microsoft has given upwardly trying to get people to create and use strong, unique passwords, Jakkal explained.

"Passwords are incredibly inconvenient to create, remember, and manage beyond all the accounts in our lives," he said. "Nearly a third of people say they completely stop using an account or service rather than dealing with a lost password."

(Tom's Guide disagrees: Strong, unique passwords aren't difficult to handle equally long as you're using one of the best password managers, some of which are free. We'll accept upward this issue with Microsoft privately.)

How to set up Microsoft passwordless logins

Microsoft rolled out passwordless logins to its enterprise customers dorsum in March, and now it's bachelor to consumers besides. Here's how to set it up.

1. Install the Microsoft Authenticator app for iOS or Android on your smarthphone.

two. Log into or create a Microsoft account at https://account.microsoft.com/.

3. Click Security in the top navigation bar on your Microsoft account dashboard page.

4. Click Advanced Security Options on the post-obit page.

5. Click Turn On in the Passwordless Account box halfway downwards the following page, under the heading Additional Security.

vi. Click Side by side in the dialogue box that pops up.

7. Follow the prompts.

8. Approve the confirmation request sent to the Microsoft Authenticator app on your phone.

Should you get rid of your Microsoft countersign?

You tin can already avert typing your Microsoft password without ditching information technology altogether. Almost Windows ten PCs allow yous log in with a device-specific Pin instead of the Microsoft password. If you lot accept the Microsoft Authenticator app, then when you log into your Microsoft account online, y'all're asked to match verification codes instead of using your password.

We're too non sure what happens if you kill your Microsoft countersign and then lose admission to your Authenticator app if your phone dies or you lose it.

Microsoft's support page for passwordless logins states that "yous can still access your Microsoft Account using an alternate recovery method like text message or a backup email address," but the beginning requires a working phone and the 2d, easy access to a PC.

Plus, says the support page, "if you accept 2 Step Verification turned on, you lot volition need to have access to 2 recovery methods," which might be hard to come past in sure situations.

And then we're non almost to surrender our Microsoft account countersign. Jakkal is correct that any password is vulnerable to phishing attacks (unless you use a hardware security key for ii-factor hallmark), merely we're not nevertheless totally comfortable going without one.

More: Windows xi TPM 2.0 requirement suddenly leaves virtual machines users locked out

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has besides been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He'south been rooting around in the data-security infinite for more than xv years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a console discussion at the CEDIA home-technology conference. Yous can follow his rants on Twitter at @snd_wagenseil.