Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Microsoft IT

Microsoft Makes New Accounts Passwordless by Default 81

Microsoft has taken its most significant step yet toward eliminating passwords by making new Microsoft accounts "passwordless by default." The change means new users will never need to create a password, instead using more secure authentication methods like biometrics, PINs, or security keys.

The move builds on Microsoft's decade-long push toward passwordless authentication that began with Windows Hello in 2015. According to company data, passkey sign-ins are eight times faster than password and multi-factor authentication combinations, with users achieving a 98% success rate compared to just 32% for password users. Microsoft also said it now registers nearly one million passkeys daily across its consumer services.

Microsoft Makes New Accounts Passwordless by Default

Comments Filter:
  • what dummies lmao (Score:5, Insightful)

    by Anonymous Coward on Thursday May 01, 2025 @08:10PM (#65345943)
    A PIN is nothing more than a password.
    • I was going to ask a legitimate question (on /.? I know!) on that very point. How is a 4 digit pin more secure than a random password? If anyone can explain this, please and thankyou

      • I don't think it is but your average user likely doesn't use a random password. If someone has physical access and the knowhow will break either in short order. A random 4 digits is "good enough" versus the alternative of "password1!"

        At least that's a guess for me, on setup hey definitely push you towards a biometric if it knows the machine supports it.

        • It may be worse... (Score:5, Informative)

          by Roger W Moore ( 538166 ) on Thursday May 01, 2025 @09:29PM (#65346107) Journal

          I don't think it is but your average user likely doesn't use a random password.

          True, but your average user probably does not use a random PIN either making it easier to guess and, because banks also use PINs, probably means that an attacker now has access to their bank account as well.

          • True but we can only do so much if at this point people want to do that, it is 2025 and we all know that's dumb, I think that person is screwed regardless if that's the only measure. Thankfully the biometric stuff has gotten good enough to where it's far more convenient.

        • >"I don't think it is but your average user likely doesn't use a random password. If someone has physical access and the know how will break either in short order."

          * No system should allow repeated failed login access without delays between each attempt.

          * No system should allow unlimited login attempts. After X tries, there should be an extra-long delay and other actions. That might be reporting it to someone, locking the login, blocking the source for X minutes/hours or forever, etc.

          For most systems/s

      • by GrahamJ ( 241784 )

        As long as the number of tries is very limited and the PIN is not easily guessable I don't think it makes much difference how much entropy there is.

        • As long as the number of tries is very limited and the PIN is not easily guessable I don't think it makes much difference how much entropy there is.

          ...So then why is "${SIGNIFICANT_YEAR}" secure, but not words? Four-digit numerical PINs are secure now, but lower-case dictionary words aren't?

          Passwords became unwieldy because we tried to improve security by mandating complexity, but suddenly 'limiting tries' is all it takes for four-digit numbers to become 'secure' again?

          • by thsths ( 31372 )

            > Passwords became unwieldy because we tried to improve security by mandating complexity, but suddenly 'limiting tries' is all it takes for four-digit numbers to become 'secure' again?

            Basically, yes. Password complexity only matters if we assume that the hash has been compromised. I am not sure why we are ok with that assumption - if the hash is compromised, maybe we should assume that the whole system is compromised?

            The PIN is stored on the TPM (hashed or not really does not matter), so we assume it can

      • by darkain ( 749283 )

        the org i'm in has the same complexity requirements for "pins" as they do "passwords" (yes, all character classes, min length, no repeating, etc)

        ya, shit sucks

      • by bbourqu ( 690731 )
        If I understand it correctly the PIN is local to the local device and uses the TPM to encrypt the login information. I just setup a Win 11 laptop for my wife and after she logged in and setup Windows Hello she only uses her PIN. Here's an article from Microsoft about it: https://www.microsoft.com/en-u... [microsoft.com]
        • And you could do the exact same thing with a password. Because pin is password but with maybe less complexity requirements. Otherwise, it's still a string of characters entered into a password field.

      • PINs don't have to be 4 digits. I use a smart card for login at work, and the PINs are required to be at least 8 digits long. The system 2-factor. The PIN is a something I know. The smart card is something I have. The PIN essentially verifies the smart card, and then the certificates on the smart card, which are much higher security, are used for everything else.
        • You know how you could make that even more secure? Allow the pin to use letters and special characters in addition to numbers to dramatically increase the problem space!
          • by thsths ( 31372 )

            And require the PIN to be 24 characters long?

            You know what would be even more secure?

            Make the PIN 1000 characters long.

          • You can actually choose on your Windows settings to allow letters and other characters in your Windows PIN...

      • Probably because a PIN can only be used locally on the device it is set up on, to unlock a security key that is then used for remote authentication.
        You need physical access to a device to try and break the PIN.

    • A short, insecure password. Why phone banking apps use a 4-digit pin is beyond me.
      • Because that's not the whole story. PIN is a single factor. When you call, you are providing at least two factors and maybe more. My typical experience is like 3 factors.

        And then there's the fact that bank transactions can be reversed when fraud occurs.

        The actual incidence of this sort of fraud is pretty minimal when compared to - say - sending a credit card # over the web to a TLS compliant site.

    • Re:what dummies lmao (Score:4, Informative)

      by mysidia ( 191772 ) on Thursday May 01, 2025 @09:05PM (#65346067)

      Huge difference for this case. The PIN is only locally significant and used to unlock a credential stored on your device.
      Your PIN is never sent over the network like a login password is.

      What makes passwords vulnerable is they are used directly in an authentication protocol.
      With locally-sigificant PINs the PIN is not part of the authentication protocol. The authenticator is on your computer,
      and the PIN is simply used as an additional factor to unlock the authenticator on your computer.

      • by MeNeXT ( 200840 )

        So what is being sent? A password? Why do I need to send anything over the network when I'm logging into my system?

        • by caseih ( 160668 )

          I'm surprised by this question. This is slashdot. We push https and ssh keys, both of which don't send private keys over the wires. Cryptographic challenges are used, with they keys remaining local. To be secure, MS must be doing something very similar. Perhaps even storing your keys in the TPM under Windows.

        • A session key negotiated similar to (but not) Diffie-Hellman key exchange using TLS and the PKI to ensure secured communication with the authentication provider.

          Lookup FIDO protocol for more info.

          • by MeNeXT ( 200840 )

            That can be accessed by a PIN? Why not just keep the password and send the key? I use FIDO. I don't need a 4 digit PIN.

            • by mysidia ( 191772 )

              Why not just keep the password and send the key?

              This is to ensure normal humans can remember their password without having to write it down. The idea is you should use a simple password to help minimize the chance you forget the password. Brute force is prevented by the nature of the authentication protocol. Also the local device will have a tries counter. For example: If you insert your Yubikey and get the PIN wrong 3 times, then the token will be locked out and no more attempts are possible.

              • >"This is to ensure normal humans can remember their password without having to write it down."

                People wouldn't have problems remembering their password if stupid, outdated, "security practices" didn't force them to change the password all the time. Way before NIST (I think it was) *finally* admitted that aging passwords *reduced* security, I was fighting with auditors who insisted that I should implement password aging. So of course they have to be poorer quality, and written down. And of course all

        • "Why do I need to send anything over the network when I'm logging into my system?"

          You don't have to. You can still setup a fully local account, but this will have a password.

          Passwordless (secured by multi-factor) would be a bit complicated for users to setup locally, but a motivated individual could do it.

          There are benefits to having this sort of service though. Your laptop might be stolen and if your accounts are all associated with MS through this scheme, you can remotely remove access from everything tha

          • by MeNeXT ( 200840 )

            If the laptop is stolen I don't have the key. Right now I have an encrypted DB that I can copy/move from system to system. I need a password to access my system and another for the DB. If my laptop is stolen the disk is encrypted and requires a password and another for the DB key to access the passkeys. How is a PIN more secure than my passwords?

            Why would I entrust a company that is changing it's business model to make me a product with my credentials?

            This is just more lock-in for the lazy. If it's importan

      • Huge difference for this case. The PIN is only locally significant and used to unlock a credential stored on your device.
        Your PIN is never sent over the network like a login password is.

        What makes passwords vulnerable is they are used directly in an authentication protocol.
        With locally-sigificant PINs the PIN is not part of the authentication protocol. The authenticator is on your computer,
        and the PIN is simply used as an additional factor to unlock the authenticator on your computer.

        Ok, that makes a bit of sense. Thanks.

      • by Bongo ( 13261 )

        Everyone now focus on compromising the device instead.

    • Sure other have said similar. No, locally allowing your private key to be involved in answering challenges is not the same thing. As the "unlock" is all local. Microsoft uses separate key pairs for each mechanism used (pin, face, finger, etc.). But, presence (locale) of keys (talking private side)?? Perhaps a problem. So, I think there are still too many "chicken and egg" scenarios. Also, the concept of what is called "passkeys" and Windows Hello are different... so, if about the former, there is som
    • by taustin ( 171655 )

      And generally, a much less secure one, being, usually, 4 or 6 digits, often numbers only.

    • I suspect they mean"pin and something else", e.g. a device such as a phone.
  • by Gravis Zero ( 934156 ) on Thursday May 01, 2025 @08:13PM (#65345947)

    If you only they could make it so that not only isn't a Microsoft account isn't needed but that they don't hound you to make a Microsoft account.

    Windows used to be nice but proprietary and now it's an unending hellscape of nags. I FUCKING HATE WINDOWS.

    • Linux just entered the room.

    • I assume there are still pro editions of Windows where this stuff is more straightforward. If you have opinions on how your machine should be secured, the home edition is not targeted at you.

      • by taustin ( 171655 )

        Pro (and I believe Enterprise) have a trick during setup, where you tell it you're going to join a domain (which lets you finish setup with a local account), then never join the domain.

        Nagging to sign into a MS account, however, seems to be eternal.

        • by Ormy ( 1430821 )
          Nope, Win10 enterprise never nags me for anything, ever. Although I have an MS account (which I use for playing microsoft's multiplayer video games like Halo) I have never had the OS itself logged in, never even been asked. Also onedrive, cortana, edge, xbox game bar, automatic updates (I apply security updates manually at my convenience), telemetry and all other bloat all permanently disabled.
  • All we need now... (Score:5, Insightful)

    by Excelcia ( 906188 ) <slashdot@excelcia.ca> on Thursday May 01, 2025 @08:20PM (#65345957) Homepage Journal

    ....is Microsoft Accountless.

    • ....is Microsoft Accountless.

      I've been Microsoft Accountless since... let me see... oh, that's right! I've never had a Microsoft account!

    • Heyyy... pssst.... over here .... we got what you want ... accountless Windows... but it'll cost ya... hehe

      Umm. Legit question: there any such thing ? Maybe if you have a site license for a big co or gov you can customize your accounts ?
      • Aside from regular old local accounts, you can absolutely setup your own enterprise authentication scheme. For example, some companies use their Google app logins to login to their Windows machines.

        • So this is much worse than I imagined. It's not like an unpatched webserver ... it's outsourcing your entire authentication infrastructure. That's a bad strategy for self preservation. But thanks for answering my question.
          • >"it's outsourcing your entire authentication infrastructure. That's a bad strategy for self preservation."

            Yep.

            What happens when that outside company has a technical problem? Or has to comply with some new policy or law? Or has to turn over access without your knowledge to law enforcement? Or just doesn't like you for whatever reason?

            "You will own nothing and be happy" Hmm...

        • You can't bring home a computer and have just a regular old local account any more. Not without going to extreme heroics. If you've found a way, please show your work.

          And your average home user shouldn't have to set up an enterprise authentication scheme.

  • "more secure" depends on your definition of security.

    first off, the finger print reader on my main windows laptop for work is absolute dogshit, forcing me to revert back to normal passwords anyways.

    next, i have no real method of transferring those credentials to another machine.

    and no, they are NOT faster. this is only true for things like cell phones that you physically hold. my work laptop? its docked. i need to get up out of my chair to get to the finger print reader. and yes, i know not everyone has thi

    • next, i have no real method of transferring those credentials to another machine.

      that is a feature. The whole point is the credentials are not transferrable therefore not subject to being stolen or reused elsewhere.

      • next, i have no real method of transferring those credentials to another machine.

        that is a feature. The whole point is the credentials are not transferrable therefore not subject to being stolen or reused elsewhere.

        Lovely. So you have to have separate credentials for every machine you log into. This won't slow down people who need to work on multiple machines in the least.

        • You sit down at any machine and use the same key (hardware, biometric, whatever), which gets combined with the device key to allow access to services.

          As the old adage goes, security is something you know and/or something you have.

          When signing into your machine you know the PIN and have the key fob (or fingerprint).

          Once you've signed in though, the services you use can leverage this scheme to tie your access to the device itself. That device key is what you can't transfer. So each new device will likely requ

  • by fahrbot-bot ( 874524 ) on Thursday May 01, 2025 @08:48PM (#65346013)

    The change means new users will never need to create a password, instead using more secure authentication methods like biometrics, PINs, or security keys.

    I just setup two Windows 11 systems for a friend and used the little checkbox at PIN creation to allow both letters and numbers, so a PIN can be like a password -- ignoring how they're stored by the back end. Anyway, that was easier for them to remember than just (more) numbers.

  • I don't want to have to deal with 2FA when logging into my device. Lots of things cause you to have to re-auth and when that happens I want to use a password.

    I can safely configure a local account that way whereas it's less secure if I'm required to use an internet account. So, don't force the use of MS accounts.

    • If this was a swipe pattern like on an android phone I don't think I'd blink an eye ... it must be optional in the settings though, like password on screensaver.

      but I'd balk if it required biometrics... Recall is already a non starter... also Microsoft products are 30% generated code according to the boss over there... so that explains why it's garbage use plus anyone using Microsoft is a true serf now... property... irritating AND sad.
    • I can safely configure a local account

      Actually not. Local accounts can easily be thwarted by enabling the hidden Administrator account. https://www.makeuseof.com/wind... [makeuseof.com] Even if you disable this account, it can be worked around by using a PE Boot loader.

      Before Windows started pushing people to use Microsoft accounts, when friends would ask me to fix their computers, I never needed to ask them for their passwords. I would just log in as Administrator (which has no password) and do what I needed to do.

      The one good thing about Microsoft accounts,

  • did you really just say that a base 10 4 digit number is more secure than words

    slashdot has fallen

    • by mysidia ( 191772 )

      Yes. Because even a single-character password using only digits 0 - 9 is more secure as an authorization PIN to unlock a cryptographic authenticator than the strongest possible online login password you can possibly imagine.

      All passwords sent over the network automatically become insecure

      Password-based authentication to a server inherently has zero resistance to phishing. And zero resistance to verifier compromise.
      Login passwords also have a high chance of being reused by the user, and then if ANY

      • by MeNeXT ( 200840 )

        I don't need to send a password over the network just like your comment that you don't send the PIN. Why are you assuming all passwords need to go over the network? So authenticate with a password on your local system and don't send the password over the network just like the PIN.

        • by mysidia ( 191772 )

          Why are you assuming all passwords need to go over the network?

          As a general rule passwords ARE or can be sent over the network. And in the specific case of Microsoft Account passwords and even classical Windows local user login passwords - they ARE sent over the network and can be presented or used on login to your computer or other computers on your local network remotely.

          Password-based authentication refers specifically to that method of authentication where a Remote server prompts you for a password,

      • You're both right. What he's saying is that even a 4 character word has more combinations than a 4 digit pin and what you're saying is public key authentication is orders of magnitude stronger than passwords.
      • Why are you conflating browsing the Internetz (with its fishing, etc) and logging to Windows? These are two conceptually different things. And yes, what MS and you present is a solution to a non-existing problem. I can use a hardware-backed password vault when browsing the Net, and a local account for logging to Windows, and my security will be no weaker than what you describe, with the added benefit that I don't give MS, whom I don't trust a bit, a kill switch for my own computer.

    • by sysrammer ( 446839 ) on Thursday May 01, 2025 @09:36PM (#65346129) Homepage

      did you really just say that a base 10 4 digit number is more secure than words

      slashdot has fallen

      How did you guess my passphrase?

    • When a 4-digit PIN is used to unlock a 4096 bit RSA key stored using hardware encrypted devices, it's much more secure than a password hashed using SHA-256 and sent over the wire.

      • Yet, it's not more secure than a password NOT sent over the wire, or even than a password that is only sent to a friendly network, inside your secure perimeter

  • https://arstechnica.com/securi... [arstechnica.com]

    4 digits that are good forever.

  • 42% password success rate sounds like bullcrap to me.
    • Oops, 32% as stated in the post.
    • >"32% password success rate sounds like bullcrap to me."

      Probably.

      Maybe it is high on systems that require some stupid 15 character passwords with X symbols and stupid aging (which should not be used). But even then, I doubt it is a 68% login failure rate.

      On systems with REASONABLE complexity and without aging (so the user can actually remember the password), I would estimate an average login success rate of maybe at least 90%. If it is a situation where 2FA is appropriate, then of course that number wi

  • I have a Microsoft Account, with no password.
    My device breaks. How do I sign in to my account from another device while I wait for mine to be fixed?

    • I assume your secondary auth method will be the biometrics they've coerced you into finally giving up.

  • Basically, you don't need a password but this stuff will depend on your email or phone password (via 2FA / MFA / Tokens / Biometrics - all based on OTP to your email or text)

    ( PIN - a pwd which works only on your pre authorized phone. If you change phones you need a password. Which will be your email or Apple ID password - just clarifying as 2 commenter's asked how pin is different

  • Whoever thinks that biometrics are secure (and speaks German, sorry), should watch the video Ich sehe, also bin ich .... du [media.ccc.de] (I see, therefore I am .... you).
  • And how do we hold Microsoft accountable now?

I am not now, nor have I ever been, a member of the demigodic party. -- Dennis Ritchie

Working...