By: Brad Chacos
A lot of people don’t bother using password managers, and most people’s passwords are terrible. Poor passwords lead to poor security. Microsoft’s making it easier to batten down the hatches by letting you sign into its services using two new methods that don’t require a user name or password.
Starting Tuesday you can sign into your Microsoft Account using either Windows Hello biometric security or a physical security key, the company announced. (You could already use the Microsoft Authenticator app for passwordless sign-on, as well.) The page for a compatible Yubico key says the passwordless authentication works on Outlook, Office, Skype, OneDrive, Xbox Live, Bing, the Microsoft Store, and Windows itself. That’s pretty much everywhere you’d use a Microsoft Account online.
Killing passwords comes with some pretty strict compatibility requirements, though. You’ll need to be running the Windows 10 October 2018 Update, which only re-released to the public a few weeks ago, and Microsoft’s ho-hum Edge browser. You’ll also need to make sure your security key is compatible with the FIDO2 CTAP specification that serves as the secret sauce behind these newfound capabilities.
“How do Windows Hello and FIDO2 devices implement this? Based on the capabilities of your Windows 10 device, you will either have a built-in secure enclave, known as a hardware trusted platform module (TPM) or a software TPM,” Microsoft corporate vice president Alex Simons said in the post announcing the feature. “The TPM stores the private key, which requires either your face, fingerprint, or PIN to unlock it. Similarly, a FIDO2 device, like a security key, is a small external device with its own built-in secure enclave that stores the private key and requires the biometric or PIN to unlock it. Both options offer two-factor authentication in one step, requiring both a registered device and a biometric or PIN to successfully sign in.”
You can get started with Microsoft’s passwordless authentication by setting up Windows Hello on your computer, or by registering your physical security key in the Security > More security > Windows Hello and security keys section of your Microsoft Account page while using the Edge browser.
Why this matters: Eliminating the need to use passwords eliminates the temptation to get lazy and reuse weak passwords—a huge boon in these breach-tastic days. And if you’re using a passwordless sign-in option for your Microsoft Account, you’ll be much more likely to identify phishing attempts, too. If you click a link and it asks for your login information, it’s probably not legit.