A lot of people don’t bother using password managers, and most people’s passwords are terrible. Poor passwords lead to poor security. Microsoft’s making it easier to batten down the hatches by letting you sign into its services using two new methods that don’t require a user name or password.
Starting Tuesday you can sign into your Microsoft Account using either Windows Hello biometric security or a physical security key, the company announced. (You could already use the Microsoft Authenticator app for passwordless sign-on, as well.) The page for a compatible Yubico key says the passwordless authentication works on Outlook, Office, Skype, OneDrive, Xbox Live, Bing, the Microsoft Store, and Windows itself. That’s pretty much everywhere you’d use a Microsoft Account online.
“How do Windows Hello and FIDO2 devices implement this? Based on the capabilities of your Windows 10 device, you will either have a built-in secure enclave, known as a hardware trusted platform module (TPM) or a software TPM,” Microsoft corporate vice president Alex Simons said in the post announcing the feature. “The TPM stores the private key, which requires either your face, fingerprint, or PIN to unlock it. Similarly, a FIDO2 device, like a security key, is a small external device with its own built-in secure enclave that stores the private key and requires the biometric or PIN to unlock it. Both options offer two-factor authentication in one step, requiring both a registered device and a biometric or PIN to successfully sign in.”
You can get started with Microsoft’s passwordless authentication by setting up Windows Hello on your computer, or by registering your physical security key in the Security > More security > Windows Hello and security keys section of your Microsoft Account page while using the Edge browser.
Why this matters: Eliminating the need to use passwords eliminates the temptation to get lazy and reuse weak passwords—a huge boon in these breach-tastic days. And if you’re using a passwordless sign-in option for your Microsoft Account, you’ll be much more likely to identify phishing attempts, too. If you click a link and it asks for your login information, it’s probably not legit.