Microsoft in its fight for password-less logins has announced a new milestone. The company now supports security key devices based on FIDO2 standards, meaning you can login to your Microsoft Account without a password.
How to set up password-less logins?
Specifically, Microsoft has announced support for the standards-based FIDO2 security key devices. So from now on, users logging into their Microsoft Account won’t have to enter the password and don’t have to remember their passwords either. The password-less authentication supports pretty much everything that you may use on a daily basis, like Xbox Live, Bing, the Microsoft Store, Windows, Outlook, Office, Skype, and OneDrive.
“We just turned on the ability to securely sign in with your Microsoft account using a standards-based FIDO2 compatible device—no username or password required,” Microsoft said in a blog post on Tuesday.
Microsoft is using the Edge browser to enable the security key or Windows Hello support. Moreover, it is the first company to support authentication without a password using the FIDO2 WebAuthn and CTAP2 standards.
To start using the password-less feature, you will need the latest Windows 10 October 2018 Update. After the update, you can easily set up Windows Hello or a physical security key, which supports the FIDO2 standard.
Moreover, if your device has a Windows Hello webcam or fingerprint reader, you just need to link a Windows 10 machine to your account so that you don’t have to enter the passwords anymore. One can link the device by visiting Microsoft Account settings with Edge.
Is this secure?
Further, Microsoft says that its password-less logins are secure as well. The company notes that the systems won’t easily fall prey to the phishing attacks or malware as users will need to give an indication of their presence as well by using a “local gesture” like a face scan or PIN code.
Microsoft eliminates the need of the password by putting a private key on a trusted platform module (TPM) in the Windows 10 device. This key is used along with the physical key or biometric Windows Hello authentication to verify the credentials stored on the Microsoft servers.
“When you later sign in, the Microsoft account system provides a nonce to your PC or FIDO2 device. Your PC or device then uses the private key to sign the nonce. The signed nonce and metadata is sent back to the Microsoft account system, where it is verified using the public key,” the company says.
Previously, Microsoft allowed password-less logins via Microsoft’s iOS and Android Authenticator app. So, support for FIDO2 security keys was the next logical move. Microsoft supports keys from Yubikey and the FEITIAN Biopass key. These are USB keys, which sell for between $20 and $60.
Since Microsoft supports W3C and FIDO Alliance standards, users on Chrome and Firefox will also be able to use the security keys to log into their Microsoft account. However, Chrome and Firefox must also support the FIDO2 standards.
FIDO (Fast Identity Online) Alliance has for years supported technologies to help people move away from passwords. Members of the FIDO Alliance are big names from diverse fields, like Amazon, Google, Microsoft, Intel, J.P. Morgan Chase and Goldman Sachs.
Others also promoting similar tech
An average user has to remember several passwords, and thus, he or she usually goes for weak passwords or repeat passwords as they are easy to remember. Such passwords can be easily compromised, leading to data breaches. So, password-less logins are a good way to avoid such breaches.
Microsoft’s password-less logins are currently limited to personal accounts only. The company, however, plans to add the same support to work and school accounts using the Azure Active Directory.
Apart from Microsoft, other big companies have also been promoting password protection. Alphabet and Facebook already allow users to secure their accounts with USB tokens. Alphabet has a key-based offering, which is available to power users through the Gmail service. However, the service requires the use of passwords as well. Apple also supports various hardware solutions, like fingerprint access and facial recognition.
Moreover, these companies have also been supporting built-in password managers and password generators to relieve users from the burden of remembering passwords. Microsoft, however, has long been advocating for a “password-less future,” and considering the progress that the company is making, passwords will soon be a thing of past.