I replaced my Microsoft account password with a passkey - and you should, too

3 days ago 161

Follow ZDNET: Add america arsenic a preferred source connected Google.

ZDNET's cardinal takeaways

Free Microsoft accounts tin usage passkeys alternatively of passwords.
Passwordless sign-ins are much unafraid and highly phishing-resistant.
Set up aggregate sign-in and betterment options earlier going passwordless.

These days, I'm precise fashionable successful Russia, Ukraine, Moldova, Bosnia-Herzegovina, and adjacent Albania. At least, that's what it looks similar based connected this database of caller attempts to motion successful to my Microsoft account. (That database is disposable for immoderate Microsoft relationship astatine this absorption page: https://account.microsoft.com. After signing in, click Security and past click "View my sign-in activity.")

In my case, those hopeless hackers are wasting their time. They tin effort each operation of letters, numbers, and symbols successful each alphabet known to humanity, adjacent if it takes until the extremity of the universe, and they volition ne'er conjecture the password for my Microsoft account.

Also: What are passkeys really? The elemental mentation - for anyone bushed of passwords

Why americium I truthful confident? Because, agelong ago, I chose the enactment to marque that relationship passwordless.

The lone mode to entree the services connected to my Microsoft relationship is with a passkey that uses biometrics oregon a instrumentality PIN connected my Windows PC oregon a mobile instrumentality I antecedently acceptable up. If immoderate alien wants to motion successful to my relationship connected a caller device, they'll person to person maine to o.k. that sign-in utilizing a instrumentality I ain and control. (Sorry, Ivan, I accidental nyet to unsolicited requests from Russia.)

Should you power from password to passkey?

Microsoft wants you to bash conscionable similar I did and ditch your password.

At the opening of 2025, the institution rolled retired a caller idiosyncratic acquisition that is "optimized for a passwordless and passkey-first experience." These caller features tin beryllium utilized with immoderate escaped Microsoft account. (Administrators of Entra ID accounts that are utilized for Microsoft 365 Business and Enterprise subscriptions and to motion successful to firm networks tin remove the enactment for users to motion successful with passwords but can't region the relationship passwords completely.)

Also: Best VPN services 2025: Our apical picks for velocity and security

So, should you bash it? For astir people, the reply is yes.

Removing your password dramatically increases the information of your Microsoft relationship and makes it acold much resistant to phishing attacks. Once you've removed your password, the lone mode to motion successful to a instrumentality is by proving your individuality utilizing passkeys tied to biometrics (fingerprint oregon look recognition), hardware information keys, oregon syncable passkeys saved successful a password manager.

You besides person the enactment to respond to a propulsion notification connected a trusted device, arsenic shown here.

The lone method crushed not to marque this alteration is if you usage aged apps oregon hardware devices that don't enactment modern authentication methods: Office 2010 oregon earlier; Office for Mac 2011 oregon earlier; Xbox 360; oregon a PC moving Windows 8.1 oregon earlier. You'll besides tally into problems if you usage the Remote Desktop diagnostic to link to different PC utilizing your Microsoft account.

Also: Windows 11 users conscionable got a much convenient mode to store passkeys - here's however it works

Going passwordless is not a measurement you instrumentality casually. Along with that other information comes an accrued hazard that you'll fastener yourself retired of your account. You tin mitigate that hazard by making definite you person aggregate unafraid ways to entree your relationship earlier you region your password.

How to regenerate your Microsoft relationship password with a passkey

Before you begin, download and instal the Microsoft Authenticator app connected your mobile device. It's disposable successful the App Store for iPhone and successful the Google Play store for Android phones.

Ready to get started? Let's go. Oh, and do not skip measurement 5.

Using a browser connected a Windows PC oregon Mac, spell to your Microsoft relationship absorption leafage at https://account.microsoft.com and motion successful utilizing your password. Click the Security tab and past click "Manage however I motion in." That should unfastened a leafage similar the 1 shown here:

This is an relationship I created for trial purposes. It has a password, and I've added an email code to beryllium utilized for verification purposes. Note the 2 options nether the "Additional security" heading -- Passwordless relationship and two-step verification -- are some off.

Click "Add different mode to motion successful to your account." That opens the leafage shown here:

Click the mediate option, "Use an app." This gives you 2 choices. The Microsoft Authenticator app relies connected propulsion notifications; you tin besides acceptable up a classical Time-based One-Time Password (TOTP) authenticator and make six-digit codes you proviso connected request.

Also: 10 passkey endurance tips: Prepare for your passwordless aboriginal now

Click Next to show a QR codification similar the 1 shown here:

Open the Authenticator app connected your mobile device, click the positive motion successful the precocious close corner, and take the Personal relationship option. Scan the QR codification utilizing the smartphone camera to adhd your caller account. The effect should look thing similar this:

If you'd similar to usage different TOTP app, specified arsenic Authy oregon Google Authenticator, click "Use an app." In the "Set up the Microsoft Authenticator" dialog, take the enactment to acceptable up a antithetic Authenticator app. That produces a barroom codification that creates a modular six-digit TOTP codification that you participate erstwhile you request to authenticate.

Note that you tin usage this enactment with Microsoft Authenticator arsenic well. Choose the enactment to acceptable up a antithetic app and past adhd the relationship to Microsoft Authenticator utilizing the supplied barcode. That volition effect successful 2 entries, 1 that uses notifications, the different that uses TOTP codes.

You're not done yet. To support from being locked retired of your account, you'll request astatine slightest 2 different ways to motion in.

If your Windows PC oregon Mac supports biometric authentication, you tin usage that method to make a device-bound passkey.

Click "Add different mode to motion successful to your account" again and take the "Face, fingerprint, PIN, oregon information key" enactment to make a passkey that's tied to that biometric hardware, utilizing Windows Hello with look designation oregon a fingerprint scholar connected a Windows PC, oregon an Apple iCloud Keychain passkey, utilizing Touch ID connected a MacBook. You tin besides usage this enactment with a USB information key.

After mounting it up, you'll motion successful utilizing a dialog similar this one:

If you person a PC moving the latest merchandise of Windows 11, you tin usage Windows Hello to make and prevention passkeys for different sites and services arsenic well. For astir third-party sites, a passkey is an further alternate you tin usage alternatively of a password, not a implicit replacement arsenic it is for a passwordless Microsoft account.

From the dialog successful measurement 1, take astatine slightest 1 of the pursuing options arsenic an further sign-in method.

Click "Email a code" to participate an alternate email code (not the 1 tied to your Microsoft account!) wherever you tin person a code.
Click "Show much options" to show the enactment to participate a telephone fig wherever you tin person a codification via SMS. In summation to your idiosyncratic phone, see adding a telephone fig that belongs to your spouse oregon partner, which gives you an other alternate if your ain telephone is mislaid oregon stolen.
Select "Use an app" and acceptable up a non-Microsoft authenticator app arsenic described successful measurement 2. (Consider mounting up that app connected a telephone different than your superior phone, if possible.)
If your password manager supports this feature, you tin besides make a syncable passkey that you tin usage connected immoderate instrumentality wherever you're signed successful utilizing that software. Dashlane, 1Password, and Bitwarden all enactment this feature.

Also: The champion password managers of 2025: Expert tested

This is your "In lawsuit of emergency, interruption glass" option.

Go backmost to the "Manage however I motion in" leafage from measurement 1 and scroll each the mode to the bottommost of the page. Under the "Recovery code" heading, click the enactment to make a caller code. Print it retired and prevention the codification successful a harmless location. Consider sending a transcript via email to a trusted person oregon household subordinate who tin stash it distant successful lawsuit you request it.

If each other fails, this codification volition marque definite that you tin retrieve your account.

You don't person to bash this measurement close away. All of the passwordless options you acceptable up (Authenticator app, passkeys, and truthful on) volition enactment close away. Give yourself a week oregon 2 to marque definite everything's moving arsenic expected. When you're ready, spell backmost to the "Manage however I motion in" page, scroll to the "Passwordless account" section, and crook that enactment on.

Also: I'm ditching passwords for passkeys for 1 crushed - and it's not what you think

Read Entire Article