Passwords aren’t as effective a means as preventing account break-ins as they might seem. Three out of four people use duplicate passwords, and 21 percent of people use codes that are over 10 years old. (In 2014, among the five most popular passwords were “password,” “123456,” and “qwerty.”) Two-factor SMS authentication adds a layer of protection, but it isn’t foolproof — hackers can fairly easily redirect text messages to another number.
There’s good news on that front, though, if you’re a Windows user. Microsoft today announced that users can sign into Microsoft accounts on Microsoft’s Edge browser password-free, either by using Windows Hello — the biometrics-based authentication platform built into Windows 10 — or with a FIDO2-compatible device from Yubico, Feitian, or another manufacturer. Alternatively, they can use a phone running the Microsoft Authenticator app.
Password-free login goes live this week in Windows 10 (version 1809) on Outlook.com, Office 365, Skype, OneDrive, Cortana, Microsoft Edge, Xbox Live on the PC, Mixer, the Microsoft Store, Bing, and MSN.com. Alex Simons, corporate vice president at Microsoft’s Identity Division, said that Edge is among the first to implement WebAuthn and CTAP2, and that it supports the “widest array of authenticators” compared to other browsers. He also said that starting next year, the same sign-in experience will come to work and school accounts in Azure Active Directory, and that enterprise customers will be able to preview it before the end of 2018.
“This combination of ease of use, security and broad industry support is going to be transformational,” he said in a statement. “Every month, more than 800 million people use a Microsoft account to create, connect, and share from anywhere to Outlook, Office, OneDrive, Bing, Skype and Xbox Live for work and play. And now they can all benefit from this simple user experience and greatly improved security.”
FIDO2, for the uninitiated, is a standard certified by the nonprofit FIDO Alliance that supports public key cryptography and multifactor authentication — specifically, the Universal Authentication Framework (UAF) and Universal Second Factor (U2F) protocols. When you register a FIDO2 device with an online service, it creates a key pair of an on-device, offline private key and an online public key. During authentication, the device “proves possession” of the private key by prompting you to enter a PIN code or password, supply a fingerprint, or speak into a microphone.
Since 2014, Yubico, Google, NXP, and others have collaborated to develop the Alliance’s standards and protocols, including the new Worldwide Web Consortium’s Web Authentication API. (WebAuthn shipped in Chrome 67 and Firefox 60 earlier this year.) Among the services that support them are Dropbox, Facebook, GitHub, Salesforce, Stripe, and Twitter.
So how does Microsoft’s implementation work? When you sign in, the Microsoft account system provides a nonce — an arbitrary one-time-use number — to your PC or FIDO2 device, which uses the aforementioned private key to sign the nonce. The signed nonce and metadata — the latter of which contains information about the circumstances of the login, such as whether you verified your identity through a biometric scan — are sent to the Microsoft account system, where they’re verified using the public key.
Windows’ secure enclave — the trusted platform module (TPM) — stores the private key, and it requires either a face, fingerprint, or PIN for authentication. And the FIDO2 device has its own secure enclave, which stores the private key and requires biometric ID verification or a PIN to unlock it.
“Password-less sign-in is a transformational change to how business users and consumers access devices and applications. It combines industry-best ease of use and security to create an experience people are going to love and hackers are going to hate,” Simons said. “FIDO2 is a key part of Microsoft’s push to eliminate passwords and devices like the YubiKey 5 are a great example of how we’re working with partners to make this transformation a reality.”
How to sign into your Microsoft account without a password
So, wondering how to sign into your Microsoft account password-free? Here’s how to get started:
- Make sure you’re running Windows 10 October 2018.
- Go to the Microsoft account page on Microsoft Edge and sign in.
- Select Security > More security options under Windows Hello and security keys. If you opt to use a FIDO2 key, follow the corresponding setup flow:
- Identify what type of key you have (USB or NFC).
- Insert or tap your key as instructed.
- Create a PIN or enter an existing PIN.
- Touch either the button or gold disk (if your key has one).
- Name your security key.
- Next time you sign in, click More Options > Use a security key or type in your username. You’ll be prompted to use a security key to sign in.
Here’s a list of epxlicitly supported FIDO2 keys. Others that implement FIDO2 and the CTAP2 specification should also work, Microsoft says:
- The YubiKey 5C
- YubiKey 5 NFC
- YubiKey 5 Nano
- YubiKey 5C Nano
- Security Key by Yubico
- BioPass FIDO2
- ePass FIDO2-NFC