From the horse’s mouth
Microsoft is the first major company with an Internet presence that is implementing a password-free option for signing in to their Microsoft Account. This is the main sign-up for most of Microsoft’s enterprise-facing and consumer-facing services.
Most of us are likely to run a Microsoft account if you are using Windows 10, the Hotmail / Outlook webmail service, Office 365, OneDrive, Skype or XBox at least. You may also find that Microsoft may bind LinkedIn on to this authentication platform soon or allow this to work with online services that use Microsoft accounts as an optional credential pool for single sign-on.
But what does this password-free setup mean for us? This setup has it that the Microsoft servers don’t retain or use your password to verify you as a legitimate user. Rather the verification takes place at the client device such as you using a fingerprint reader or entering a PIN on the device to log in. Or you use another device like a smartphone with an authentication app or a hardware token like a USB or NFC security key to authenticate with the online service when you log in. Here, these approaches release a machine-to-machine session token to allow you to log in for that session.
In some ways, it is similar to single-sign-on or “social-sign-on” where you authenticate with another credential pool like Facebook, Google or Microsoft when you use some online services.
Microsoft will facilitate this with their Hello-based device-level authentication infrastructure in Windows 10, a FIDO2-compliant hardware security key, a smartphone running the Microsoft Authenticator mobile-platform app or a one-time verification code sent via SMS or email.
This is something you can set up on the Security page in your account.microsoft.com dashboard for your Microsoft account. But you may have to create app passwords for some client software and setups that doesn’t work well with authentication approaches other than passwords. It may be an approach for password-free setups where consumer electronics and IoT devices are concerned until this kind of onboarding and login are able to work with most of these devices.
But for a major software vendor or online-services provider to provide the option to go “password-free” and rely on device-based credentials as an authentication approach is a bold step. As well, Microsoft are in a good position here due to them making sure that the authentication tools are available on a wide range of platforms.
Who know who else will head down the password-free authentication approach for their consumer-facing online services?