Going passwordless with Microsoft Accounts (MSA)


I had a look at the number of passwords I have stored in my password manager software. There are over 1,000 secrets stored, and obviously, I don’t need to use all of them daily or even weekly.

One of the necessary credentials are my Microsoft Accounts (MSAs). They used to be called Live ID’s when I was young. For multiple reasons, you tend to end up with more than a dozen of these – different Microsoft services might require a fresh one, or you need to separate and segregate certain services with different accounts. Using a strong authentication is a must, and I’m always careful to enable and enforce additional factors beyond ‘just’ a username and a password. Typically, this is through the Microsoft Authenticator mobile app on my phone.

In September 2021, Microsoft announced that Microsoft Accounts could go fully passwordless. You can entirely remove the password from your account through this capability. It sounds scary but promising at the same time!

I set out to configure one of my (reasonably discardable) Microsoft Accounts for this.

Unceremoniously, the password is taken away from you. I chose to play this super safe and not clean up the password from my password manager – even if I knew it’s in vain, as the password isn’t valid any longer.

How does it work now, then? If I choose to login into any service with this MSA, I’m presented with the login prompt as you would expect:

(don’t worry, that account is not a real one in the image above)

When you click Next, instead of seeing the usual password prompt, you get a confirmation for signing in with the help of Microsoft Authenticator on your phone. No password is required.

And now, all I need is to unlock my phone and match the same number in the prompt to validate this specific authentication request.

Should I not have my phone nearby, I can also use Windows Hello, which utilizes an optional biometric authentication and a PIN. A security key is another option, as it requires a hardware token such as a YubiKey.

In retrospect, and having used this approach for about six months now – does it work? Yes, it works well. I frequently monitor all sign-ins through the MSA security portal to ensure I’m on top of things.

The significant upside is that nobody can guess my password now, as there isn’t one. Should I break or lose my phone, I have alternate means of accessing my accounts – and the hardware tokens are especially crucial for this. They are relatively cheap, robust, easy to carry with you – and still secure.

For Azure AD-based identities, passwordless is also supported but removing the password altogether is not possible. Step by step, we’re going passwordless!

PS. While you’re here, check out our workshops if you want to go passwordless in your environment!

The results are in for the Microsoft Cybersecurity Architect (SC-100) exam!

Photo by @punttim / Unsplash.com

Insights on preparing for the Microsoft Certified: Cybersecurity Architect Expert (SC-100) certification

Security Architect as a Service