Tom Kelley/Getty Images
These days, Iâm very popular in Russia, Ukraine, Moldova, Bosnia-Herzegovina, and even Albania. At least, thatâs what it looks like based on this list of recent attempts to sign in to my Microsoft account:
What these attackers donât know is that every password is incorrect for this passwordless account. Â
Screenshot by Ed Bott/ZDNET
If youâre curious about whoâs trying to sign in to your Microsoft account, go to this management page: https://account.microsoft.com. After signing in, click Security and âView my sign-in activity.â
In my case, those desperate hackers are wasting their time. They can try every combination of letters, numbers, and symbols in every alphabet known to humanity, even if it takes until the end of the universe, and they will never guess the password for my Microsoft account.
Also: 10 passkey survival tips: Prepare for your passwordless future now
Why am I so confident? Because, long ago, I chose the option to make that account passwordless. If some stranger wants to sign in to my account on a new device, theyâll have to convince me to approve that sign-in using a device Iâve already set up. (Sorry, Ivan, I say nyet to unsolicited requests from Russia.)
Should you go passwordless?
Microsoft wants you to do just like I did and ditch your password. This month, the company rolled out a new user experience that is âoptimized for a passwordless and passkey-first experience.â
Also: The best VPN services (and how to choose the right one for you)
So, should you do it? For most people, the answer is yes. Removing your password dramatically increases the security of your Microsoft account and makes it far more resistant to phishing attacks. Once youâve removed your password, the only way to sign in to a device is by proving your identity using biometrics (fingerprint or face recognition), hardware security keys, syncable passkeys saved in a password manager, or by responding to a push notification on a trusted device, as shown here.
The default method for signing in to a passwordless Microsoft account is with an Authenticator app on a device you own.
Screenshot by Ed Bott/ZDNET
The only technical reason not to make this change is if you use old apps or hardware devices that donât support modern authentication methods: Office 2010 or earlier; Office for Mac 2011 or earlier; Xbox 360; or a PC running Windows 8.1 or earlier. Youâll also run into problems if you use the Remote Desktop feature to connect to another PC using your Microsoft account.
Going passwordless is not a step you take casually. Along with that extra security comes an increased risk that youâll lock yourself out of your account. You can mitigate that risk by making sure you have multiple secure ways to access your account before you remove your password.
Ready to get started? Letâs go.
Step 1: Check your current security settings
Go to your Microsoft account management page at https://account.microsoft.com and sign in using your password. Click the Security tab and then click âManage how I sign in.â That should open a page like the one shown here:
Add at least two ways to prove who you are. An Authenticator app and an email address are your best choices.Â
Screenshot by Ed Bott/ZDNET
This is an account I created for test purposes. It has a password, and Iâve added an email address to be used for verification purposes. Note the two options under the âAdditional securityâ heading â Passwordless account and Two-step verification â are both off.
Click âAdd a new way to sign in or verify.â That opens the page shown here:
Use the second option to set up the Microsoft Authenticator app as a way to sign in.
Screenshot by Ed Bott/ZDNET
Step 2: Set up the Microsoft Authenticator app on your mobile device
Click the middle option, âUse an app.â If necessary, download and install the Microsoft Authenticator app on your mobile device and then click Next to display a QR code like the one shown here:
Scan this QR code to set up your Microsoft account in the Authenticator app.
Screenshot by Ed Bott/ZDNET
Open the Authenticator app on your mobile device, click the plus sign, and scan the QR code using the smartphone camera to add your new account. The result should look something like this:
After you make your account passwordless, the Change Password option will disappear.
Screenshot by Ed Bott/ZDNET
Step 3: Set up at least two other ways to sign in
The Authenticator app provides an easy way to sign in without a password. But what happens if you lose your phone? Thatâs when you need an alternative sign-in method. If you have two-step verification set up, youâll need two factors.
- Click âEmail a codeâ to enter an alternate email address.
- Click âShow more optionsâ to display the option to enter a phone number where you can receive a code via SMS. In addition to your personal phone, consider adding the phone number that belongs to your spouse or partner, which gives you an extra alternative if your own phone is lost or stolen.
- Choose the âFace, fingerprint, PIN, or security keyâ option to create a hardware-based passkey, using Windows Hello with face recognition or a fingerprint reader on a Windows PC, or an Apple iCloud Keychain passkey, using Touch ID on a MacBook. You can also use this option with a USB security key.
- If your password manager supports this feature, you can create a passkey that syncs between devices. Dashlane, 1Password, and Bitwarden all support passkeys.
Step 4: Create a recovery code and save it in a secure location
Do not skip this step! This is your âIn case of emergency, break glassâ option.
Go back to the âManage how I sign inâ page from Step 1 and scroll all the way to the bottom of the page. Under the âRecovery codeâ heading, click the option to generate a new code. Print it out and save the code in a safe location. Maybe consider sending a copy to a trusted family member who can stash it away in case you need it.
Also:Â If we want a passwordless future, letâs get our passkey story straight
If all else fails, this code will make certain that you can recover your account.Â
Step 5: Turn on the passwordless option
You donât have to do this step right away. All of the passwordless options you set up (Authenticator app, passkeys, and so on) will work right away. Give yourself a week or two to make sure everythingâs working as expected. When youâre ready, go back to the âManage how I sign inâ page, scroll to the âPasswordless accountâ section, and turn that option on.
