A year after Microsoft announced PassKeys support for consumer accounts, Tech Giant announced a major change that pushes individuals signing up for new accounts to use the phishing-resistant authentication method by default.
“Brand-new Microsoft accounts are now ‘passwordless’ by default,” said Joy Chik and Vasu Jakkal of Microsoft. “New users have several passwordless options to sign an account and do not need to register a password. Existing users can access their account settings to remove their password.”
Windows Maker said it simplified the sign-in and sign-up user experience by prioritizing passwordless methods. Additionally, the sign-in process automatically detects the best available methods for your account and sets them as defaults.
For example, if your account has the option to sign in via a password and “one-time code”, the user will be prompted to log in via a one-time code rather than a password. Once you sign in, you will be instructed to set up your passkey for optimal protection.
The latest moves by Microsoft represent a steady march towards a passwordless future, along with friends from Apple, Google, Amazon and more in recent years. As password-based cyberattacks continue to be an early access vector that is beneficial for bad actors, the adoption of PassKeys marks a critical step in account security.
In September 2023, Microsoft deployed support for PassKeys for Windows 11. Then last year I updated Windows Hello to support the technology.
PassKeys offers a more secure way to log in to your website or application by eliminating the need for a password. Backed by the Fast Identity Online (FIDO) Alliance, PassKeys relies on public/private key encryption technology to authenticate users.
Therefore, when a user registers with an online service, the client device (IE, phone, PC) generates a new key pair. The private key is stored securely on the user’s device, and the public key is registered with the service.
While signing in, the client device signs the challenge using a private key after the device owner authenticates using biometric authentication information (such as facial recognition or fingerprints), and the device owner authenticates.
In October 2024, the FIDO Alliance said it was working with stakeholders to export PassKeys and other credentials more easily between different providers and improve interoperability of the certification provider. As of December last year, over 15 billion user accounts can sign in using PassKeys instead of passwords.
Last month, the Open Industry Association launched a Payment Working Group (PWG) to define and drive FIDO solutions for payment use cases.
PWG is expected to “identify and evaluate existing and emerging solutions to address payment authentication requirements” and is expected to establish “guidelines for the use of PassKeys and/or proposed FIDO solutions with existing payment technologies.”
Source link
