Microsoft Accounts Now Support Password-less Authentication with FIDO

(Pictured above: A security key by Yubico.)

Anyone with a Microsoft account can now log in using biometric authentication instead of a traditional username or password with the latest version of Windows Hello or security keys that support the newest Fast Identity Online (FIDO) Alliance standards.

The milestone, a key step in eliminating passwords, became possible this week when Microsoft officially enabled support for the FIDO 2 standards, ratified this summer. The FIDO Alliance is a broad consortium of customers including Aetna, Bank of America, MasterCard and Visa, and technology providers including Amazon, Google, Intel, RSA, Samsung and Yubico.

More than 800 million people use Microsoft accounts to login to Windows, Office 365, OneDrive, Skype and Bing and Xbox Live, the company claims. By implementing the new WebAuthn and FIDO2 CTAP2 specifications into its online services, users can now log into those services with a device that enables biometric authentication such as a fingerprint sensor or facial recognition scanner.

While it’s a noteworthy step toward Microsoft’s longstanding goal to eliminate passwords, it requires either a PC with the new fall semiannual release of Windows 10, version 1809, the Edge browser or a device with FIDO 2-compliant keys from partners including Yubico and Feitian Technologies.

Microsoft only started rolling out the latest Windows 10 update last week. The company initially released version 1809 in early October but within days pulled it following reports that it was deleting user files, a major flaw that Microsoft claims it has resolved. The significant embarrassment is likely to result in customers and partners treading slowly in updating.

Nevertheless, Microsoft has ramped up its focus on eliminating passwords and is emphasizing that shifting to multifactor authentication (MFA) will provide better protection against credential theft, which is the primary source of breaches and phishing attempts, according to various studies. Likewise, forgotten passwords are among the largest costs that help desks incur internally or via their managed services providers.

“Microsoft has been on a mission to eliminate passwords and help people protect their data and accounts from threats,” said Alex Simons, corporate VP of program management within Microsoft’s identity technology group, in a post Tuesday announcing the availability of the new password-less authentication option.

Despite Microsoft’s push to eliminate passwords, partners said many customers aren’t ready to make a wholesale shift.

“We still work with so many customers with infrastructure that may not be able to support things like Windows Hello in terms of being able to manage those devices in a proper manner,” said Roman Avanesyan, practice director for Microsoft productivity and infrastructure at SADA Systems. “It will be a bit of a journey, … to get them from that current state and being able to help them leverage all these latest and greatest new capabilities.”

Microsoft emphasized its password-less authentication push in late September at its annual Ignite conference in Orlando with numerous technical sessions intended to educate customers and partners on the company’s efforts and on how to implement it. At one Ignite session, Simons said that there are now 47 million Windows 10 users who use the biometric-authentication capabilities of Windows Hello with PCs that either have fingerprint sensors or facial-recognition scanners and Microsoft’s recommended Trusted Platform Module (TPM) embedded hardware-based encryption chips.

Given the relative scarcity of PCs with hardware that can support it, Windows Hello has been predictably modest since Microsoft introduced it with the launch of Windows 10 three years ago; however, over the past year, Simons said the number of devices that support Windows Hello biometric authentication has increased 350 percent, with 6,500 organizations that have implemented it.