Microsoft takes a step towards a passwordless future, but the end is not yet in sight

Microsoft makes it possible for users to log in to their account without using a password.

But the end of the password is not yet in sight and alternatives may also be a hassle.

Starting this week, anyone who wants to can log in to Microsoft services such as OneDrive or Outlook using the Microsoft Authenticator app, Windows Hello facial recognition, a physical security key or unique codes sent by email or text message.

The question is whether this really makes logging in easier and more secure.

Bart Jacobs, professor of Security, Privacy and Identity at Radboud University, seems somewhat surprised by Microsoft's decision to allow users to log in without passwords.

"Microsoft seems to be taking this step to make it easier for users, but it's not so clear what their real trade-offs are," he says.

"Changes in this area have a major impact on them, for example in the area of ​​costs, for example for sending SMS or restoring accounts."

Incidentally, according to Jacobs, it remains to be seen whether logging in really becomes more user-friendly.

"Retyping a code from your phone is a hassle, just like inserting a physical security key (such as Yubikey). In addition, it is a real problem if you lose your phone or your security key. Not only do you need a new device , but you have to log in and authenticate yourself with that."

Easy to crack

The Digital Trust Center (DTC), part of the Ministry of Economic Affairs and Climate, is positive about Microsoft's initiative. According to cybersecurity advisor Erwin Hasenpflug of the DTC, systems that are only protected with a password often pose a risk. "People often use weak or easy-to-crack passwords. Passwords are also regularly (re)used for various services."

Hasenpflug regrets that password managers and two-step verification are not yet commonplace, as these are prime examples of tools that can contribute to increased security.

"While the DTC welcomes Microsoft's announcement, it is not expected that passwords will be completely banned in the near future. Therefore, the DTC will continue to alert the target audience to the risks and provide advice to ensure good password policies within organizations."

Incidentally, the option to log in without a password can also be reversed.

If you choose to log in without a password, you can later choose to log in to the Microsoft account again with a password.