Microsoft Embraces Passkeys by Default, Ushering in Passwordless Future for Billions

-


 A year after announcing support for passkeys in consumer accounts, Microsoft is now making them the default sign-in method for all new accounts. This move signals a significant step in the tech giant’s broader commitment to eliminating passwords—a major weak point in online security.

New Accounts Are Now Passwordless by Default

In an official statement, Microsoft executives Joy Chik and Vasu Jakkal confirmed:

"Brand new Microsoft accounts will now be 'passwordless by default.' New users will have several passwordless options for signing into their account and they'll never need to enroll a password. Existing users can visit their account settings to delete their password."

The updated process ensures new users never have to create or manage a password. Instead, they can authenticate using phishing-resistant options like biometrics or device-based passkeys.

A Simplified, Smarter Sign-In Experience

To support this transition, Microsoft has overhauled its sign-in and sign-up flows. Passwordless methods are now prioritized and automatically selected based on what's available for the account. For example, if both password and one-time code options are available, users will be prompted to sign in with the one-time code. Once signed in, they’re guided to set up a passkey for even stronger security.

Part of a Larger Industry Shift

Microsoft’s push aligns with industry-wide efforts by Apple, Google, Amazon, and others to move toward a passwordless future. Passkeys are backed by the Fast Identity Online (FIDO) Alliance and rely on public/private key cryptography to authenticate users securely—removing the need for vulnerable static credentials.

Since introducing passkey support in Windows 11 and Windows Hello in 2023, Microsoft has steadily expanded its passwordless capabilities. This aligns with Google’s decision to make passkeys the default login method globally and reflects growing consensus among major tech players that passwords are no longer viable for long-term security.


How Passkeys Work

When a user registers with a service, their device (e.g., smartphone or PC) generates a unique key pair:

  • Private Key: Stored securely on the user’s device.

  • Public Key: Shared with the service.

To sign in, the device uses the private key to respond to a cryptographic challenge after authenticating the user via biometrics like fingerprint or facial recognition. This method is not only more secure, but also faster and easier for users.

FIDO Alliance’s Expanding Role

As of late 2024, the FIDO Alliance estimated that over 15 billion accounts can now support passkey authentication. The organization is also working to improve interoperability, making it easier to export credentials across ecosystems.

Additionally, the FIDO Alliance recently launched a Payments Working Group (PWG). Its mission is to:

  • Evaluate existing and emerging solutions for payment authentication.

  • Define how passkeys and FIDO standards can enhance security for payment systems.

  • Establish best practices for integrating FIDO-based methods into existing payment technologies.

A Future Without Passwords Is Becoming Reality

With Microsoft now making passkeys the default for new accounts—and other tech giants following suit—the transition to a passwordless future is accelerating. For users, this means fewer risks, better user experiences, and a more secure digital world.


Comments

Post a Comment

Popular posts from this blog

Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution

-
Image
Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution By : Rei Ibraima A newly discovered critical vulnerability in Veeam’s Backup & Replication software, designated as CVE-2025-23120, poses a significant security risk to enterprise environments. The flaw allows authenticated domain users to execute arbitrary code remotely, potentially leading to full compromise of backup infrastructures. About CVE-2025-23120 The vulnerability arises from an insecure deserialization issue within Veeam Backup & Replication components—particularly in the .NET classes Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary. Improper input validation in these components allows attackers to inject malicious serialized objects that are executed on the server side, resulting in Remote Code Execution (RCE). This issue affects systems where Veeam Backup & Replication is deployed in a domain-joined configuration, which—while common—is...
Read more

CISA and ENISA enhance their Cooperation

-
Image
  The European Union Agency for Cybersecurity (ENISA) has signed a Working Arrangement with the Cybersecurity and Infrastructure Security Agency (CISA) of the US, in the areas of capacity-building, best practices exchange and boosting situational awareness. Geopolitics have shaped the cyber threat landscape, bringing like-minded partners closer together in the wake of common cyber challenges and advances in digital technologies. Today at the EU-US Cyber Dialogue, ENISA and CISA announced the signing of their Working Arrangement as an important milestone in the overall cooperation between the United States and the European Union in the field of cybersecurity, also following the Joint Statement of European Commissioner Thierry Breton and U.S. Secretary for Homeland Security Alejandro Mayorkas of January 2023. ENISA’s International Strategy directs the Agency to be selective in engaging with international partners and to limit its overall approach in international cooperation to those...
Read more

New Diicot Threat Group Targets SSH Servers with Brute-Force Malware

-
Image
  Diicot, previously known as Mexals, is a relatively new threat group that possesses extensive technical knowledge and has a broad range of objectives. Diicot shares its new name with the Romanian anti-terrorism policing unit and uses the same style of messaging and imagery. Researchers from Cado Labs reported that an emerging Romanian threat actor called Diicot is utilizing unique TTPs (Tactics, Techniques, and Procedures) and an interesting attack pattern to target victims. The researchers noted that the group has been using brute-force malware whose payloads have neither been publicly reported nor appeared in common repositories. About Diicot Threat Group Diicot, previously known as Mexals, is a relatively new threat group that possesses extensive technical knowledge and has a broad range of objectives. Diicot shares its new name with the Romanian anti-terrorism policing unit and uses the same style of messaging and imagery. Previous research by Akamai and Bitdefender reveals ...
Read more