The company announced that all new Microsoft accounts will be "passwordless by default" to protect users from phishing, brute force, and credential stuffing attacks.
In March of this year, the company began rolling out updated login and registration schemes in mobile and web applications, optimized for passwordless authentication and authentication using access keys (passkey).
“As part of this simplified UX, we’re changing the default behavior for new accounts. New Microsoft accounts will now be passwordless by default,” said Joy Chik, president of identity and network access at Microsoft, and Vasu Jakkal, corporate vice president of security at Microsoft. “New users will have multiple options to sign in to their account without a password, and they’ll no longer be asked to enter a password. Existing users can go to their account settings and remove their password as well.”
The company says the best passwordless authentication method will be enabled for every account and set by default. It also aims to move more users to passkeys, which are a more secure alternative to passwords and use biometric authentication (such as fingerprints or facial recognition).
After logging in, users will be prompted to create a passkey and will be able to use that key the next time they log into their account.
"This simplified process allows for faster sign-in times. In our experiments, password usage dropped by more than 20%," Microsoft says. "As more people use passkey, the number of password authentications will continue to decline until we can eventually remove support for passwords altogether."