Microsoft Makes New Accounts Passwordless by Default 81
Microsoft has taken its most significant step yet toward eliminating passwords by making new Microsoft accounts "passwordless by default." The change means new users will never need to create a password, instead using more secure authentication methods like biometrics, PINs, or security keys.
The move builds on Microsoft's decade-long push toward passwordless authentication that began with Windows Hello in 2015. According to company data, passkey sign-ins are eight times faster than password and multi-factor authentication combinations, with users achieving a 98% success rate compared to just 32% for password users. Microsoft also said it now registers nearly one million passkeys daily across its consumer services.
The move builds on Microsoft's decade-long push toward passwordless authentication that began with Windows Hello in 2015. According to company data, passkey sign-ins are eight times faster than password and multi-factor authentication combinations, with users achieving a 98% success rate compared to just 32% for password users. Microsoft also said it now registers nearly one million passkeys daily across its consumer services.
what dummies lmao (Score:5, Insightful)
Re: (Score:1)
I was going to ask a legitimate question (on /.? I know!) on that very point. How is a 4 digit pin more secure than a random password? If anyone can explain this, please and thankyou
Re: (Score:2)
I don't think it is but your average user likely doesn't use a random password. If someone has physical access and the knowhow will break either in short order. A random 4 digits is "good enough" versus the alternative of "password1!"
At least that's a guess for me, on setup hey definitely push you towards a biometric if it knows the machine supports it.
It may be worse... (Score:5, Informative)
I don't think it is but your average user likely doesn't use a random password.
True, but your average user probably does not use a random PIN either making it easier to guess and, because banks also use PINs, probably means that an attacker now has access to their bank account as well.
Re: (Score:2)
True but we can only do so much if at this point people want to do that, it is 2025 and we all know that's dumb, I think that person is screwed regardless if that's the only measure. Thankfully the biometric stuff has gotten good enough to where it's far more convenient.
Re: (Score:2)
>"I don't think it is but your average user likely doesn't use a random password. If someone has physical access and the know how will break either in short order."
* No system should allow repeated failed login access without delays between each attempt.
* No system should allow unlimited login attempts. After X tries, there should be an extra-long delay and other actions. That might be reporting it to someone, locking the login, blocking the source for X minutes/hours or forever, etc.
For most systems/s
Re: (Score:2)
As long as the number of tries is very limited and the PIN is not easily guessable I don't think it makes much difference how much entropy there is.
Re: (Score:3)
As long as the number of tries is very limited and the PIN is not easily guessable I don't think it makes much difference how much entropy there is.
...So then why is "${SIGNIFICANT_YEAR}" secure, but not words? Four-digit numerical PINs are secure now, but lower-case dictionary words aren't?
Passwords became unwieldy because we tried to improve security by mandating complexity, but suddenly 'limiting tries' is all it takes for four-digit numbers to become 'secure' again?
Re: (Score:2)
> Passwords became unwieldy because we tried to improve security by mandating complexity, but suddenly 'limiting tries' is all it takes for four-digit numbers to become 'secure' again?
Basically, yes. Password complexity only matters if we assume that the hash has been compromised. I am not sure why we are ok with that assumption - if the hash is compromised, maybe we should assume that the whole system is compromised?
The PIN is stored on the TPM (hashed or not really does not matter), so we assume it can
Re: (Score:2)
the org i'm in has the same complexity requirements for "pins" as they do "passwords" (yes, all character classes, min length, no repeating, etc)
ya, shit sucks
Re: (Score:2)
You make it sound as if 4 digits are secure. How about a password to unlock the device and repeat the password to access the passkey if the password was not entered in the last minute.
This high security comes from a company that publishes the username in every email.
Re: (Score:1)
Except that isn't true. In the context of machines joined to Microsoft Entra and Intune, which I expect will be similar to the service for regular Joes, the PIN is stored in the cloud and the same PIN is used to unlock every device your account has access to.
Re: (Score:1)
Re: (Score:2)
And you could do the exact same thing with a password. Because pin is password but with maybe less complexity requirements. Otherwise, it's still a string of characters entered into a password field.
Re: what dummies lmao (Score:2)
Re: what dummies lmao (Score:3)
Re: (Score:2)
And require the PIN to be 24 characters long?
You know what would be even more secure?
Make the PIN 1000 characters long.
Re: (Score:2)
You can actually choose on your Windows settings to allow letters and other characters in your Windows PIN...
Re: (Score:2)
Probably because a PIN can only be used locally on the device it is set up on, to unlock a security key that is then used for remote authentication.
You need physical access to a device to try and break the PIN.
Re: (Score:1)
Re: what dummies lmao (Score:2)
Because that's not the whole story. PIN is a single factor. When you call, you are providing at least two factors and maybe more. My typical experience is like 3 factors.
And then there's the fact that bank transactions can be reversed when fraud occurs.
The actual incidence of this sort of fraud is pretty minimal when compared to - say - sending a credit card # over the web to a TLS compliant site.
Re:what dummies lmao (Score:4, Informative)
Huge difference for this case. The PIN is only locally significant and used to unlock a credential stored on your device.
Your PIN is never sent over the network like a login password is.
What makes passwords vulnerable is they are used directly in an authentication protocol.
With locally-sigificant PINs the PIN is not part of the authentication protocol. The authenticator is on your computer,
and the PIN is simply used as an additional factor to unlock the authenticator on your computer.
Re: (Score:2)
So what is being sent? A password? Why do I need to send anything over the network when I'm logging into my system?
Re: (Score:2)
I'm surprised by this question. This is slashdot. We push https and ssh keys, both of which don't send private keys over the wires. Cryptographic challenges are used, with they keys remaining local. To be secure, MS must be doing something very similar. Perhaps even storing your keys in the TPM under Windows.
Re: what dummies lmao (Score:2)
A session key negotiated similar to (but not) Diffie-Hellman key exchange using TLS and the PKI to ensure secured communication with the authentication provider.
Lookup FIDO protocol for more info.
Re: (Score:2)
That can be accessed by a PIN? Why not just keep the password and send the key? I use FIDO. I don't need a 4 digit PIN.
Re: (Score:2)
Why not just keep the password and send the key?
This is to ensure normal humans can remember their password without having to write it down. The idea is you should use a simple password to help minimize the chance you forget the password. Brute force is prevented by the nature of the authentication protocol. Also the local device will have a tries counter. For example: If you insert your Yubikey and get the PIN wrong 3 times, then the token will be locked out and no more attempts are possible.
Re: (Score:2)
>"This is to ensure normal humans can remember their password without having to write it down."
People wouldn't have problems remembering their password if stupid, outdated, "security practices" didn't force them to change the password all the time. Way before NIST (I think it was) *finally* admitted that aging passwords *reduced* security, I was fighting with auditors who insisted that I should implement password aging. So of course they have to be poorer quality, and written down. And of course all
Re: what dummies lmao (Score:2)
"Why do I need to send anything over the network when I'm logging into my system?"
You don't have to. You can still setup a fully local account, but this will have a password.
Passwordless (secured by multi-factor) would be a bit complicated for users to setup locally, but a motivated individual could do it.
There are benefits to having this sort of service though. Your laptop might be stolen and if your accounts are all associated with MS through this scheme, you can remotely remove access from everything tha
Re: (Score:2)
If the laptop is stolen I don't have the key. Right now I have an encrypted DB that I can copy/move from system to system. I need a password to access my system and another for the DB. If my laptop is stolen the disk is encrypted and requires a password and another for the DB key to access the passkeys. How is a PIN more secure than my passwords?
Why would I entrust a company that is changing it's business model to make me a product with my credentials?
This is just more lock-in for the lazy. If it's importan
Re: (Score:1)
Huge difference for this case. The PIN is only locally significant and used to unlock a credential stored on your device.
Your PIN is never sent over the network like a login password is.
What makes passwords vulnerable is they are used directly in an authentication protocol.
With locally-sigificant PINs the PIN is not part of the authentication protocol. The authenticator is on your computer,
and the PIN is simply used as an additional factor to unlock the authenticator on your computer.
Ok, that makes a bit of sense. Thanks.
Re: (Score:2)
Everyone now focus on compromising the device instead.
Re: (Score:2)
Re: (Score:2)
And generally, a much less secure one, being, usually, 4 or 6 digits, often numbers only.
Re: what dummies lmao (Score:3)
just one step short. (Score:5, Insightful)
If you only they could make it so that not only isn't a Microsoft account isn't needed but that they don't hound you to make a Microsoft account.
Windows used to be nice but proprietary and now it's an unending hellscape of nags. I FUCKING HATE WINDOWS.
Re: (Score:3)
Linux just entered the room.
Re: (Score:3)
Re: (Score:2)
What's up bro?
Re: just one step short. (Score:2)
Please someone keep Mac OS away. The chatroom is full.
Re: just one step short. (Score:2)
I assume there are still pro editions of Windows where this stuff is more straightforward. If you have opinions on how your machine should be secured, the home edition is not targeted at you.
Re: (Score:2)
Pro (and I believe Enterprise) have a trick during setup, where you tell it you're going to join a domain (which lets you finish setup with a local account), then never join the domain.
Nagging to sign into a MS account, however, seems to be eternal.
Re: (Score:2)
All we need now... (Score:5, Insightful)
....is Microsoft Accountless.
Re: (Score:3)
....is Microsoft Accountless.
I've been Microsoft Accountless since... let me see... oh, that's right! I've never had a Microsoft account!
Re: All we need now... (Score:2)
Umm. Legit question: there any such thing ? Maybe if you have a site license for a big co or gov you can customize your accounts ?
Re: All we need now... (Score:2)
Aside from regular old local accounts, you can absolutely setup your own enterprise authentication scheme. For example, some companies use their Google app logins to login to their Windows machines.
Re: All we need now... (Score:2)
Re: (Score:2)
>"it's outsourcing your entire authentication infrastructure. That's a bad strategy for self preservation."
Yep.
What happens when that outside company has a technical problem? Or has to comply with some new policy or law? Or has to turn over access without your knowledge to law enforcement? Or just doesn't like you for whatever reason?
"You will own nothing and be happy" Hmm...
Re: (Score:2)
You can't bring home a computer and have just a regular old local account any more. Not without going to extreme heroics. If you've found a way, please show your work.
And your average home user shouldn't have to set up an enterprise authentication scheme.
"more secure" (Score:2)
"more secure" depends on your definition of security.
first off, the finger print reader on my main windows laptop for work is absolute dogshit, forcing me to revert back to normal passwords anyways.
next, i have no real method of transferring those credentials to another machine.
and no, they are NOT faster. this is only true for things like cell phones that you physically hold. my work laptop? its docked. i need to get up out of my chair to get to the finger print reader. and yes, i know not everyone has thi
Re: (Score:2)
next, i have no real method of transferring those credentials to another machine.
that is a feature. The whole point is the credentials are not transferrable therefore not subject to being stolen or reused elsewhere.
Re: (Score:2)
next, i have no real method of transferring those credentials to another machine.
that is a feature. The whole point is the credentials are not transferrable therefore not subject to being stolen or reused elsewhere.
Lovely. So you have to have separate credentials for every machine you log into. This won't slow down people who need to work on multiple machines in the least.
Re: "more secure" (Score:2)
You sit down at any machine and use the same key (hardware, biometric, whatever), which gets combined with the device key to allow access to services.
As the old adage goes, security is something you know and/or something you have.
When signing into your machine you know the PIN and have the key fob (or fingerprint).
Once you've signed in though, the services you use can leverage this scheme to tie your access to the device itself. That device key is what you can't transfer. So each new device will likely requ
Yes, but ... (Score:3)
The change means new users will never need to create a password, instead using more secure authentication methods like biometrics, PINs, or security keys.
I just setup two Windows 11 systems for a friend and used the little checkbox at PIN creation to allow both letters and numbers, so a PIN can be like a password -- ignoring how they're stored by the back end. Anyway, that was easier for them to remember than just (more) numbers.
Guess what (Score:2)
I don't want to have to deal with 2FA when logging into my device. Lots of things cause you to have to re-auth and when that happens I want to use a password.
I can safely configure a local account that way whereas it's less secure if I'm required to use an internet account. So, don't force the use of MS accounts.
Re: Guess what (Score:2)
but I'd balk if it required biometrics... Recall is already a non starter... also Microsoft products are 30% generated code according to the boss over there... so that explains why it's garbage use plus anyone using Microsoft is a true serf now... property... irritating AND sad.
Re: (Score:2)
I can safely configure a local account
Actually not. Local accounts can easily be thwarted by enabling the hidden Administrator account. https://www.makeuseof.com/wind... [makeuseof.com] Even if you disable this account, it can be worked around by using a PE Boot loader.
Before Windows started pushing people to use Microsoft accounts, when friends would ask me to fix their computers, I never needed to ask them for their passwords. I would just log in as Administrator (which has no password) and do what I needed to do.
The one good thing about Microsoft accounts,
Re: Guess what (Score:2)
Why disable Administrator if I can assign a password to it?
wtf is happening (Score:1)
did you really just say that a base 10 4 digit number is more secure than words
slashdot has fallen
Re: (Score:2)
Yes. Because even a single-character password using only digits 0 - 9 is more secure as an authorization PIN to unlock a cryptographic authenticator than the strongest possible online login password you can possibly imagine.
All passwords sent over the network automatically become insecure
Password-based authentication to a server inherently has zero resistance to phishing. And zero resistance to verifier compromise.
Login passwords also have a high chance of being reused by the user, and then if ANY
Re: (Score:2)
I don't need to send a password over the network just like your comment that you don't send the PIN. Why are you assuming all passwords need to go over the network? So authenticate with a password on your local system and don't send the password over the network just like the PIN.
Re: (Score:3)
Why are you assuming all passwords need to go over the network?
As a general rule passwords ARE or can be sent over the network. And in the specific case of Microsoft Account passwords and even classical Windows local user login passwords - they ARE sent over the network and can be presented or used on login to your computer or other computers on your local network remotely.
Password-based authentication refers specifically to that method of authentication where a Remote server prompts you for a password,
Re: wtf is happening (Score:2)
Re: wtf is happening (Score:2)
Why are you conflating browsing the Internetz (with its fishing, etc) and logging to Windows? These are two conceptually different things. And yes, what MS and you present is a solution to a non-existing problem. I can use a hardware-backed password vault when browsing the Net, and a local account for logging to Windows, and my security will be no weaker than what you describe, with the added benefit that I don't give MS, whom I don't trust a bit, a kill switch for my own computer.
Re:wtf is happening (Score:4, Funny)
did you really just say that a base 10 4 digit number is more secure than words
slashdot has fallen
How did you guess my passphrase?
Re: wtf is happening (Score:2)
When a 4-digit PIN is used to unlock a 4096 bit RSA key stored using hardware encrypted devices, it's much more secure than a password hashed using SHA-256 and sent over the wire.
Re: wtf is happening (Score:2)
Yet, it's not more secure than a password NOT sent over the wire, or even than a password that is only sent to a friendly network, inside your secure perimeter
RDP permanent password (Score:2)
https://arstechnica.com/securi... [arstechnica.com]
4 digits that are good forever.
32% password success rate? (Score:2)
Re: 32% password success rate? (Score:2)
Re: (Score:2)
>"32% password success rate sounds like bullcrap to me."
Probably.
Maybe it is high on systems that require some stupid 15 character passwords with X symbols and stupid aging (which should not be used). But even then, I doubt it is a 68% login failure rate.
On systems with REASONABLE complexity and without aging (so the user can actually remember the password), I would estimate an average login success rate of maybe at least 90%. If it is a situation where 2FA is appropriate, then of course that number wi
Here's a scenario (Score:2)
I have a Microsoft Account, with no password.
My device breaks. How do I sign in to my account from another device while I wait for mine to be fixed?
Re: (Score:2)
I assume your secondary auth method will be the biometrics they've coerced you into finally giving up.
TLDR: this stuff depends on your email or phone pa (Score:1)
Basically, you don't need a password but this stuff will depend on your email or phone password (via 2FA / MFA / Tokens / Biometrics - all based on OTP to your email or text)
( PIN - a pwd which works only on your pre authorized phone. If you change phones you need a password. Which will be your email or Apple ID password - just clarifying as 2 commenter's asked how pin is different
Biometric (Score:2)
And how ... (Score:2)
And how do we hold Microsoft accountable now?