I replaced my Microsoft account password with a passkey – and you should, too

SEAN GLADWELL/Getty Images

These days, I’m very popular in Russia, Ukraine, Moldova, Bosnia-Herzegovina, and even Albania. At least, that’s what it looks like based on this list of recent attempts to sign in to my Microsoft account. (It’s available for any Microsoft account at this management page: https://account.microsoft.com. After signing in, click Security and then click “View my sign-in activity.”)

What these attackers don’t know is that every password is incorrect for this passwordless account.  

Screenshot by Ed Bott/ZDNET

In my case, those desperate hackers are wasting their time. They can try every combination of letters, numbers, and symbols in every alphabet known to humanity, even if it takes until the end of the universe, and they will never guess the password for my Microsoft account.

Also: 10 passkey survival tips: Prepare for your passwordless future now

Why am I so confident? Because, long ago, I chose the option to make that account passwordless, replacing the password with a passkey that allows me to access the services connected to my Microsoft account using biometrics or a device PIN on my Windows PC. If some stranger wants to sign in to my account on a new device, they’ll have to convince me to approve that sign-in using a device I’ve already set up. (Sorry, Ivan, I say nyet to unsolicited requests from Russia.)

Should you switch from password to passkey?

Microsoft wants you to do just like I did and ditch your password. Earlier this year, the company rolled out a new user experience that is “optimized for a passwordless and passkey-first experience.” These new features can be used with any free Microsoft account but aren’t available with Entra ID accounts that are used for Microsoft 365 Business and Enterprise subscriptions and to sign in to corporate networks.

Also: The best VPN services (and how to choose the right one for you)

So, should you do it? For most people, the answer is yes. Removing your password dramatically increases the security of your Microsoft account and makes it far more resistant to phishing attacks. Once you’ve removed your password, the only way to sign in to a device is by proving your identity using passkeys tied to biometrics (fingerprint or face recognition), hardware security keys, or syncable passkeys saved in a password manager. You also have the option to respond to a push notification on a trusted device, as shown here.

The default method for signing in to a passwordless Microsoft account is with an Authenticator app on a device you own.

Screenshot by Ed Bott/ZDNET

The only technical reason not to make this change is if you use old apps or hardware devices that don’t support modern authentication methods: Office 2010 or earlier; Office for Mac 2011 or earlier; Xbox 360; or a PC running Windows 8.1 or earlier. You’ll also run into problems if you use the Remote Desktop feature to connect to another PC using your Microsoft account.

Also: How I easily set up passkeys through my password manager

Going passwordless is not a step you take casually. Along with that extra security comes an increased risk that you’ll lock yourself out of your account. You can mitigate that risk by making sure you have multiple secure ways to access your account before you remove your password.

Ready to get started? Let’s go. Oh, and do not skip Step 5.

Step 1: Check your current security settings

Go to your Microsoft account management page at https://account.microsoft.com and sign in using your password. Click the Security tab and then click “Manage how I sign in.” That should open a page like the one shown here:

Add at least two ways to prove who you are. An Authenticator app and an email address are your best choices. 

Screenshot by Ed Bott/ZDNET

This is an account I created for test purposes. It has a password, and I’ve added an email address to be used for verification purposes. Note the two options under the “Additional security” heading — Passwordless account and Two-step verification — are both off.

Click “Add a new way to sign in or verify.” That opens the page shown here:

Use the second option to set up the Microsoft Authenticator app as a way to sign in.

Screenshot by Ed Bott/ZDNET

Step 2: Set up an authenticator app on your mobile device

Click the middle option, “Use an app.” This gives you two choices. The Microsoft Authenticator app relies on push notifications; you can also set up a classic Time-based One-Time Password (TOTP) authenticator and generate six-digit codes you supply on request.

To use the Microsoft Authenticator, download and install the Microsoft Authenticator app on your mobile device and then click Next to display a QR code like the one shown here:

Scan this QR code to set up your Microsoft account in the Authenticator app.

Screenshot by Ed Bott/ZDNET

Open the Authenticator app on your mobile device, click the plus sign, and scan the QR code using the smartphone camera to add your new account. The result should look something like this:

After you make your account passwordless, the Change Password option will disappear.

Screenshot by Ed Bott/ZDNET

If you’d prefer to use another TOTP app, such as Authy or Google Authenticator, click “Use an app.” In the “Set up the Microsoft Authenticator” dialog, choose the option to set up a different Authenticator app. That produces a bar code that creates a standard 6-digit TOTP code that you enter when you need to authenticate. Note that you can use this option with Microsoft Authenticator as well. Choose the option to set up a different app and then add the account to Microsoft Authenticator using the supplied barcode. That will result in two entries, one that uses notifications, the other that uses TOTP codes.

You’re not done yet. To keep from being locked out of your account, you’ll need at least two other ways to sign in.

Step 3: Set up a passkey using your PC or Mac

If your Windows PC or Mac support biometric authentication, you can use that method to create a device-bound passkey. Choose the “Face, fingerprint, PIN, or security key” option to create a passkey that’s tied to that biometric hardware, using Windows Hello with face recognition or a fingerprint reader on a Windows PC, or an Apple iCloud Keychain passkey, using Touch ID on a MacBook. You can also use this option with a USB security key.

After setting it up, you’ll sign in using a dialog like this one.

You can sign in to a Microsoft account using a passkey tied to Windows Hello, using your face or fingerprint

Screenshot by Ed Bott/ZDNET

If you have a PC running the latest release of Windows 11, you can use Windows Hello to create and save passkeys for other sites and services as well. For most third-party sites, a passkey is an additional alternative you can use instead of a password, not a complete replacement as it is for a passwordless Microsoft account.

Step 4: Add at least one more backup authentication option

From the dialog in Step 1, choose at least one of the following options as an additional sign-in method.

• Click “Email a code” to enter an alternate email address (not the one tied to your Microsoft account!) where you can receive a code.
• Click “Show more options” to display the option to enter a phone number where you can receive a code via SMS. In addition to your personal phone, consider adding a phone number that belongs to your spouse or partner, which gives you an extra alternative if your own phone is lost or stolen.
• Select “Use an app” and set up a non-Microsoft authenticator app as described in Step 2. (Consider setting up that app on a phone other than your primary phone, if possible.)
• If your password manager supports this feature, you can also create a syncable passkey that you can use on any device where you’re signed in using that software. Dashlane, 1Password, and Bitwarden all support this feature.

Step 5: Create a recovery code and save it in a secure location

Do not skip this step! This is your “In case of emergency, break glass” option.

Go back to the “Manage how I sign in” page from Step 1 and scroll all the way to the bottom of the page. Under the “Recovery code” heading, click the option to generate a new code. Print it out and save the code in a safe location. Consider sending a copy via email to a trusted friend or family member who can stash it away in case you need it.

If all else fails, this code will make certain that you can recover your account. 

Step 6: Turn on the passwordless option

You don’t have to do this step right away. All of the passwordless options you set up (Authenticator app, passkeys, and so on) will work right away. Give yourself a week or two to make sure everything’s working as expected. When you’re ready, go back to the “Manage how I sign in” page, scroll to the “Passwordless account” section, and turn that option on.