Embracing Simplicity and Security: The Power of Going Passwordless

In 2022, Microsoft tracked 1,287 password attacks per second (more than 111 million per day). The favoured attack method for attackers was phishing seeing an increase of 61% from 2021 to 2022.

Microsoft recommends moving away from using passwords as a credential strategy, and is recommending users to utilise passwordless authentication.
Passwordless authentication is a verification method used to confirm a user’s identity, without using a password. Passwordless instead uses more secure techniques such as possession factors, biometrics, and magic links.

In this article, we will explore the types of passwordless authentication, the benefits, how to setup passwordless authentication on your Microsoft account, and methods to secure your account without going passwordless.
 
What are the types of Passwordless Authentication
There are a few ways that passwordless authentication can be achieved:

Possession factors: Also referred to as ‘something you own’. They authenticate users through ownership of a device. For example, if you can get and paste a one-time password, this should prove you are the person who owns the device associated with that account of which you have exclusive access to – thus proving your identity.

One-time password (OTP) – A security code designed to be used for a single login attempt, to minimise the risk of fraudulent login attempts and maintain high security. It is a string of characters or numbers automatically generated and sent to the user’s phone via SMS, Voice, or Push message, OTPs can also be received through emails, although this is less secure.

OTPs are usually time-limited meaning they only work for a set amount of time, if the set time is passed without the password being entered, the OTP will no longer work and you will have to generate a new one.

Biometrics: Biometrics are any unique biological traits such fingerprints, voices, retinas, and facial features. Users are identified by their unique traits making it hard for a hacker to fake, as finger or iris cannot be faked as easily as it is to guess a password or PIN.

Magic links: Allows users to log into an account by clicking a link that is emailed to them, rather than inputting their username and password. Magic links can also be used for multi-factor authentication, adding an additional layer of security on top of passwordless authentication.

Benefits of Passwordless Authentication
Enhances user experience
Generating and memorising unique passwords can become unsustainable at a certain point. And if you forget a password, the process of resetting it is often clunky and tedious. Which is why many people use simple, easy to remember passwords – or they reuse the same password over and over.

With passwordless authentication, users no longer have to create passwords nor remember them by heart. Instead, they can use their biometrics, a OTP, or a magic link to login. Which is quicker than trying to remember a long, complicated password that you have to re-enter if you get it wrong.

Strong cybersecurity posture
Passwords alone are simply no longer a strong barrier against attackers. One thing we are all guilty of is reusing the same password across several different accounts & applications, this is a bad habit that you should avoid at all costs. If just one of these passwords was breached (via phishing), leaked (lists on the dark web), or stolen (through malware) there is a high chance that attackers will gain access to several accounts, accounts that may contain your data.

Passwordless authentication removes the need for passwords altogether, immediately giving users protection against two of the most prevalent types of attacks, phishing and password attacks.

Learn more about how you can protect yourself from phishing attacks.
 
How to set up Passwordless authentication for your Microsoft account
Before we setup passwordless for your Microsoft account, you will need to have a mobile device (Android or Apple) – there is currently no Microsoft Authenticator software for computer.

For this demonstration, I have used an iPhone, but the steps will still work for Android users.

Step 1: Install Microsoft Authenticator
Navigate to your devices app store, search for Microsoft Authenticator - it should be the first result that appears.  Install it. 

This is what Microsoft Authenticator looks like on the Apple App store.

Once installed, open the Microsoft Authenticator app.

Once opened, this is the page you will be on

Step 2: Sign in to your Microsoft Account
Select the blue 'Add account' button. 

You will be sent to this screen.

Select which type of account you have. You will then be asked to enter your login details.

Microsoft Account sign in screen

Once you have entered your login details, you will recieve an 8-digit number code in your emails, enter the code and select 'Verify'

If done correctly, you will be sent to the screen below. Press the 'Finish' button, and you will be sent back to the homepage with your account now showing at the top. 

Screen for successfully adding your Microsoft account.

Homepage with Microsoft account now added.

Step 3: Setting up passwordless for your Microsoft account.
From the homepage, select the account you  have just logged in to.  You will be taken to the screen below.

Click on 'Update security info'

You will be taken to this screen were you will need to scroll down until you reach the 'Additional security' section. Under 'Passwordless account' press 'Turn on'.

You will be taken to this screen were you simply need to select 'Next'

After that, you will recieve a request for password removal. To find this request, you do not need to leave the Microsoft Authenticator app, select the 'Done' text in the top-left hand corner.

You will be taken back to the home page.  Next, you need to select the 3-bar icon in the top-left hand corner.

Select 'Check for notifications'

Select 'Approve'

For me, the app asked for Touch ID, however this can change depending on how new your device is as newer iPhones do not have a home button. 
Whatever the app requests for you to do, complete it.

​If you have followed these steps, a message should appear saying ‘Approved’. Passwordless should now be setup on your device.
If you would like to remove passwordless, go back through the process of step 3.

How to secure your accounts without going passwordless
If you want to carry on using passwords, we have some recommendations that you may want to implement:

• Maintain a password length of at least 12 characters.
• Utilise a combination of uppercase and lowercase letters, numbers, and symbols for your passwords.
• Create unique passwords for each account and ensure each one is different from the last.
• When available, use multi-factor authentication.
• Continuously check for malware updates on your devices and keep them up-to-date.
• Change your password immediately if you suspect it may have been compromised.

Conclusion
In conclusion, going passwordless with your accounts offers enhanced security and convenience. We may strengthen our accounts and lower the risk of data breaches by doing away with conventional passwords and implementing cutting-edge authentication techniques like biometrics, possession factors, and magic links.

​By supporting passwordless authentication with tools like Windows Hello and Microsoft Authenticator, Microsoft makes it easier for users to log in and gives them more control over their online identities. Passwordless practises help us keep ahead of cyber risks and are in line with the rapidly changing technological world. Explore the available options, make informed choices, and unlock the potential of a passwordless future.