Microsoft has announced that it is attempting to do away with passwords, turning its existing smartphone-based two-factor authentication (2FA) into a single-factor system and allowing users to sign in to their accounts directly from their phones.
Passwords are, to be fair, a pretty poor means of security. Passwords that are easy to remember are rarely secure, and the ones that are secure are difficult to remember. Even using passphrases, as in the infamous xkdc comic
'Correct Horse Battery Staple' example, the requirement that every site you use gets its own unique passphrase makes for mental clutter, and that's before you raise the thorny issue of sites which have their own unique requirements for length, character set, and so forth. The most common way of dealing with this issue is to use a password manager package which stores your passwords in an encrypted format and fills them in as and when you need them; Microsoft's approach, however, is to do away with passwords altogether.
'We’ve been hard at work creating a modern way to sign in that doesn’t require upper and lowercase letters, numbers, a special character, and your favourite emoji,
' explained Microsoft's Alex Simons of his company's work in a blog post
. 'And after a soft launch last month, we’re excited to announce the GA [general availability of] our newest sign-in feature: phone sign-in for Microsoft accounts! With phone sign-in, we’re shifting the security burden from your memory to your device. Just add your account to the Android or iOS Microsoft Authenticator app, then enter your username as usual when signing in somewhere new. Instead of entering your password, you’ll get a notification on your phone. Unlock your phone, tap “Approve”, and you’re in.
Where previously Microsoft's Authenticator software would act as a second authentication factor after the password, the new system does away with the password altogether. When a user tries to log in, the system will send a notification to the Authenticator software and request approval: hit the button and the login request is approved, while if someone else is trying to sign in without your permission another tap will deny the request.
The system is live now for all Microsoft accounts which have a linked Microsoft Authenticator installation, on either Android or iOS. For times when your Authenticator device isn't available, Simons explains, a link is also provided to log in using your password instead.