Microsoft has announced its intention to eliminate passwords for over a billion users, marking a pivotal step in digital security. Declaring that “the password era is ending,” the company cautioned users about the rise of password-related attacks, stating, “Bad actors know it, which is why they’re desperately accelerating these attacks while they still can.” The move underscores Microsoft’s commitment to replacing passwords with more secure, phishing-resistant alternatives like passkeys.
The End of the Password Era: Microsoft’s Journey to Passkeys
The password era is rapidly coming to a close. Cybercriminals are exploiting this transition, ramping up password-related attacks while they still can. Microsoft, blocks 7,000 password attacks per second—a nearly twofold increase from last year. Additionally, adversary-in-the-middle phishing attacks have surged by 146% year over year. Fortunately, a groundbreaking solution has emerged: passkeys.
Passkeys offer a faster, more secure, and user-friendly alternative to passwords. They eliminate the vulnerabilities of traditional credentials, resolve issues like forgotten passwords, and significantly reduce support calls.
Embracing the Opportunity to Improve Sign-Ins
In May 2024, Microsoft announced passkey support for popular consumer services like Xbox, Microsoft 365, and Microsoft Copilot. This presented a unique challenge: How could they convince over a billion users to embrace and adopt passkeys, permanently altering a deeply ingrained habit?
To achieve this, Microsoft adopted a simple yet effective methodology: start small, experiment, and scale massively. The results have been promising:
Signing in with a passkey is three times faster than using a password and eight times faster than using a password with multifactor authentication.
Users are three times more successful signing in with passkeys than with passwords (98% success rate compared to 32%).
99% of users who begin the passkey registration process complete it.
Step 1: Start Small
Microsoft’s first step was enabling passkey support across our apps. In May 2024, the tech giant introduced a new option in Microsoft account settings to enroll a passkey:
Add a new way to sign in or verify:
Sign-in options:
During initial adoption, Microsoft observed that while the term “passkey” was unfamiliar to some, phrases like “face, fingerprint, or PIN” were intuitive and well-understood. By linking these concepts in the user experience (UX), they reduced friction and improved comprehension.
Step 2: Experiment
Microsoft wanted passkeys to be more than just an alternative—they needed to be the best way to sign in. To achieve this, they experimented with how, where, and when to invite users to enroll passkeys.
Proactive Nudges Outperform Passive Enrollment
Passive options, like adding passkeys in account settings, accounted for less than 1% of enrollments. Conversely, proactive nudges at key moments—such as after signing in or during password resets—proved five times more effective, with 25% of users engaging.
Messaging That Resonates
Microsoft tested various value propositions to determine what motivates users to enroll. Surprisingly, “easier sign-ins” were less compelling than “faster” or “more secure” sign-ins. Messaging emphasizing security saw a 24% click-through rate, while speed-driven messaging achieved 27%.
Respectful Deferrals
For users not ready to enroll, Microsoft designed the “Skip for now” option to be non-dismissive yet set the expectation of future nudges. They also implemented intelligent timing to avoid overwhelming users while ensuring consistent reminders about passkey enrollment.
Step 3: Scale
As passkey adoption grew, Microsoft reimagined the sign-in experience to prioritize security and usability:
Secure and Streamlined: If a user has a passkey, it’s the default option. The interface eliminates unnecessary sign-in choices, offering a seamless and secure experience.
Incremental Transitions: If a user lacks a passkey, Microsoft guides them through enrolling immediately after successful authentication, setting it as the new default.
The redesigned experience resulted in a 10% reduction in password use and a staggering 987% increase in passkey adoption. At scale:
New users are prompted to enroll passkeys during account creation.
Existing users are invited at pivotal moments, such as sign-ins and password resets.
Passkeys are set as the default option for users who have them.
The Passwordless Journey
While passkey enrollment is a crucial milestone, the ultimate goal is to eliminate passwords entirely. Since 2022, Microsoft allowed users to remove passwords from their accounts, relying solely on secure alternatives. Passkeys now enable us to replace passwords with a faster, safer, and more user-friendly solution.
Microsoft’s vision is a phishing-resistant future for all authentication scenarios, including account recovery and bootstrapping. By transitioning users to passkeys, they aim to set a new standard for digital security.
Learning from Experience
Here are key takeaways from Microsoft’s journey:
Be Proactive: Don’t hesitate to nudge users towards passkeys. People appreciate the benefits of security and speed.
Simplify the Process: Make enrollment intuitive and default to the best available method.
Plan for the Future: Passkeys are a critical step towards a phishing-resistant future. Start transitioning now.
A Collaborative Effort
The shift from passwords to passkeys is a collective effort. As passkeys become recognized, familiar, and expected, adoption will accelerate. Together, we can empower billions of users to secure trillions of accounts with passkeys, creating a safer digital landscape for everyone.
Source: https://www.linkedin.com/pulse/end-password-era-microsoft-remove-passwords-1-billion-vwode
