You Can Now Log Into Microsoft Accounts Without a Password
To paraphrase Winston Churchill, passwords are the worst form of online security, except for all the others.
Still, companies do their darnedest to replace passwords with something less likely to be exposed in a data breach. Microsoft is the latest to try something new. As of yesterday (Nov. 20), anyone with a FIDO2 physical security key and the latest version of Windows 10 can sign into their Microsoft online accounts using only a fingerprint or a PIN.
Alex Simons, corporate vice president of program management for the Microsoft Identity Division, wrote about the new development on the Microsoft Office blog.
The process sounds remarkably simple, provided you have the right tools. All you need is a Windows 10 computer running Build 1809 (the October 2018 Update) , a Microsoft account, the Microsoft Edge web browser and a physical FIDO2 USB security key.
Set it up
If you have a security key and want to try it out for yourself, here's how it works: First, update Windows 10 to the October 2018 Update, if you haven't already. Then, log into your Microsoft account page in Edge, using your Microsoft username and password. (Yes, you still need a password to set this up; the end of passwords as we know them hasn't arrived just yet.)
Click on Security, then More security options, and locate the section entitled Windows Hello and security keys. From there, just follow the instructions on the page, and Microsoft will let you use your security key to bypass your password when signing into Microsoft online accounts from now on.
FIDO 2 security keys offer either a fingerprint reader or a PIN login; which one you activate depends on your key model and your preferences. To be fair, Google is one of the lead developers of the FIDO 2 standard; Microsoft just got its implementation to market faster than Google's, which is still in beta phase.
(Microsoft also points out that you can log into Microsoft accounts on Edge with Windows Hello fingerprint or facial recognition on compliant PCs, but that feature is not new. Windows Hello also lets you unlock a PC's screen, which the security key won't do.)
How it works
If you've never considered using a security key before, it offers a number of advantages. The key itself is a small USB dongle that you can plug into any computer. (Some keys also have NFC chips to work with smartphones.)
When activated, a FIDO 2 generates unique, encrypted key numbers that Microsoft can verify. Interestingly, the PIN or fingerprint never actually leaves your computer; by cross-checking both private and public keys, Microsoft can verify a user's identity without needing to send that information across the internet.
As such, security keys are nearly foolproof – unless you lose one, or forget to bring it with you, of course. Therein lies the new feature's one potential pitfall: While it lets you log into your Microsoft accounts without a password, it doesn't actually eliminate the need to have a password as a backup credential.
As such, if your password gets exposed through social engineering or a data breach, a user could still theoretically log into your account. (Unless you have 2FA activated, of course, which Microsoft also offers and lets you set up using your security key.) Having a security key simply makes it easier and more secure when you log in, not when a potential malefactor tries to do the same.
Still, security revolutions don't happen overnight, and Microsoft's easy security key integration sounds like a smart integration of a useful tool. Don't forget that your Microsoft account comprises a lot of different services: email, Office, Skype, Xbox Live and more.
Combined with an authenticator app as a backup form of verification, a security key could keep both your productivity and gaming information out of a lot of potentially dangerous hands.