News Microsoft makes passkeys the default authentication method for all new accounts

[Admin]

Microsoft says that passkeys reduce password use by 20% and wants to remove password use altogether.

Microsoft makes passkeys the default authentication method for all new accounts : Read more

 

[TheSecondPower]

Passkeys look to me like a form of vendor lock-in.

 

[2Be_or_Not2Be]

Passkeys look to me like a form of vendor lock-in.

Technically, it's vendor-neutral, but it does require support by the local OS (which almost all do now).

It's basically creating a secure key pair between your "login" identity and a local device that you own. It helps knock out phishing-scams, keylogging, and the like because you need the physical device as part of the authentication. It's actually faster and more secure than straight passwords.

 

[Grobe]

Will this cause creation of a new hotmail account harder, for those that don't use Windows as OS ?

 

[hotaru251]

It's actually faster and more secure than straight passwords.

its the 1 feature I use in desktop win10.

Much faster to use my pin for log in than my much longer password

 

[punkncat]

Will this mean they are also going to do away with the ability to use a local user/password method?

I prefer working within my local network using username/pass for ease of access between PC shares as well as RDC. About the time you change things to "let Windows decide" on your shares then connection issues abound.

 

[TheSecondPower]

Technically, it's vendor-neutral, but it does require support by the local OS (which almost all do now).

It's basically creating a secure key pair between your "login" identity and a local device that you own. It helps knock out phishing-scams, keylogging, and the like because you need the physical device as part of the authentication. It's actually faster and more secure than straight passwords.

So if I use the Windows passkey system to log into 15 different websites, and I want to log into those same websites on Linux, Android, iOS, and MacOS, can I do that?

 

[Misgar]

I prefer working within my local network using username/pass for ease of access between PC shares as well as RDC.

Same here. When I'm installing Windows in remote locations with no broadband or 4G/5G internet access, this might make things difficult. I'm discounting satellite internet because the end users may not be able to afford this option. Some folk don't need extra bells and whistkes or Copilot. Maybe Linux would be a better choice?

 

[dwd999]

If you want to see why this is a good idea, log into your Microsoft account, select Account, Security, and See Your Sign-In Activity. When I look at mine I see unsuccessful attempted sign-ins from all over the world, as many as a dozen a day. I'm smart enough that I don't have any financial information listed under Payment Methods so they can't buy anything. But for someone who would enter payment information its a real hazard.

 

[USAFRet]

If you want to see why this is a good idea, log into your Microsoft account, select Account, Security, and See Your Sign-In Activity. When I look at mine I see unsuccessful attempted sign-ins from all over the world, as many as a dozen a day. I'm smart enough that I don't have any financial information listed under Payment Methods so they can't buy anything. But for someone who would enter payment information its a real hazard.

Indeed.
This is recent activity on my MS acct:

 

[Alvar "Miles" Udell]

Is quite convenient, I've used a PIN for ages with Windows Hello and Microsoft Authenticator for when account access is required. While it is far more secure than a password, it's not exactly friendly to people who don't keep a phone near them, refuse to use an app authenticator, or don't have service.

Ideally people would use a FIDO key (I don't), but pin and app are good enough.

 

[klatte42]

Biometrics are really just a password that you can never change. Once someone has a scan of your face/iris/finger, it’ll never change and it really follows you between devices and platforms. I think using biometrics without a human doing the scan is bad idea.

…also not a fan of apps or devices, especially because they do multiply with the different systems you deal with, you have to remember how each one works, and you get locked into having to do whatever lifecycle each platform requires. If you have one, single high security device that you use daily ( eg a work laptop), it can make sense, but using it widely would suck.

What _really_ sucks are systems that you use 1-2 times per year that add tons of steps if you haven’t logged in for 90 days.

 

[BryanFRitt]

If you want to see why this is a good idea, log into your Microsoft account, select Account, Security, and See Your Sign-In Activity. When I look at mine I see unsuccessful attempted sign-ins from all over the world, as many as a dozen a day. I'm smart enough that I don't have any financial information listed under Payment Methods so they can't buy anything. But for someone who would enter payment information its a real hazard.

Wouldn't this be an example of why you shouldn't use non-local accounts?

It will then send a verification code to confirm your identity, and once done, it will become your default credential for your new account.

This doesn't confirm identity, it just confirms your* access to something.
*or hackers', etc...

 

[VizzieTheViz]

So if I use the Windows passkey system to log into 15 different websites, and I want to log into those same websites on Linux, Android, iOS, and MacOS, can I do that?

Yes that’s the gist of it. All those OSes support passkeys so you should be fine.

Ideally, if you have that many different devices, you’d use a usb key or an app on your phone for identification.

 

[TheOtherOne]

Call me dumb but I don't get it... What's more secure and harder to guess/hack? A 4-6 digit numerical only PIN code or a much longer password containing a mix of numbers, letters, special letters with case sensitive?

 

[Aurn]

Indeed.
This is recent activity on my MS acct:

also for @dwd999 ; there is an easy way to defeat those bots constantly trying to log into your account : in your Microsoft account settings, you can add e-mail aliases. Create a new one that you will only use for login and never to sign up anywhere, then make this new alias the primary one and disable your other addresses/aliases for login purposes (in Your Info > Sign-in preferences). This will make it impossible for anyone to login with the e-mail address that was leaked

And I really hope that no, they don’t eventually remove password support, these other methods seem like they would be very inconvenient for me 🙁 My desktop PC doesn’t have a camera or fingerprint reader (and fingerprint reading often fails for me), and I don’t want to always have my phone with me and often can’t even. I also don’t really like the idea of Microsoft having pictures of my face for face recognition ?

 

[ezst036]

This sounds like it might make some heads explode at my support department. I'm "that guy" at work, the one who had for many years a custom rom on a phone but now a full Linux phone. I have told my IT department flat out, buy me a company phone or get me a yubikey.

I will not downgrade from my Linux phone to some Apple or Google device. As far as the world of spyware world OSs are concerned, I am off grid.

I always get a yubikey sent to me.

 

[palladin9479]

Passkeys look to me like a form of vendor lock-in.

It's just moving the auth to an even easier item to crack.

 

[VizzieTheViz]

Call me dumb but I don't get it... What's more secure and harder to guess/hack? A 4-6 digit numerical only PIN code or a much longer password containing a mix of numbers, letters, special letters with case sensitive?

Not calling you dumb, but having a passkey on a device you physically have to have like your laptop or phone or a usb key that you unlock biometrically (or with a pin) is in by far the most cases way safer than a password that anyone in the world can use on any device in the world.

 

[jlake3]

So if I use the Windows passkey system to log into 15 different websites, and I want to log into those same websites on Linux, Android, iOS, and MacOS, can I do that?

If you used Windows Hello to store your passkey, then no, not without using a fallback password. If you logged in on iOS or MacOS and saved your passkeys to iCloud Keychain, same issue. The systems that make passkeys not work if stolen also prevents transfer between ecosystems, although this is a problem they’re supposedly looking into. For now, though, you’ll need to either override the OS’s default to save passkeys in its own password manager and force it to use a cross-platform 3rd party option, or you’ll need to create and enroll multiple passkeys per site.

 

[Misgar]

If you want to see why this is a good idea, log into your Microsoft account, select Account, Security, and See Your Sign-In Activity.

As luck would have it, I don't have any Windows PCs associated with a Microsoft Account. Does that mean I'm immune from this particular threat, if I don't have a Microsoft Account?

Wouldn't this be an example of why you shouldn't use non-local accounts?

I prefer Local Accounts, which is how I used to set up client machines to log on to Workgroups and Domains. Admittedly my most recent systems are still running Windows 10, apart from some legacy (oofline) PCs on Windows 7 and XP.

I installed Windows 11 the day it came out as a VM under Hyper-V so I still have a collection of old Windows 11 ISOs that should allow Local Account installation from the outset. Whether or not they still work and can be updated remains to be seen.

Many of my systems do not have TPM 2.0 or "compatible" CPUs, so this October I'll consider using Rufus to install Windows 11, or look for an alternative "safe" OS with ongoing security updates.

I run two 10Gb/s LANs behind hardware firewalls and one of them is completely isolated from the Internet. Nothing is 100% secure, but I could move my older PCs over to the offline LAN.

 

[USAFRet]

As luck would have it, I don't have any Windows PCs associated with a Microsoft Account. Does that mean I'm immune from this particular threat, if I don't have a Microsoft Account?

Every account, every IP address, every login....is getting hit every day, all day.
Just looking for a way in.

 

[BryanFRitt]

Wouldn't this be an example of why you shouldn't use non-local accounts?

In a since, this was using double negative as negating the negative. Stated in more positive terms: You should use only local accounts.

 

[Misgar]

Every account, every IP address, every login....is getting hit every day, all day.
Just looking for a way in.

Agreed, which is why I'm using hardware firewalls, but when I'm surfing the internet, there are many times when I don't log into any accounts whatsovever, if all I need is news and information.

Since I'm not using a Microsoft Account to sign into any of my Windows 10 machines, surely that's one less vector of attack?

If I do switch to Windows 11 for on-line systems in October 2025, I'll use Secure Boot and TPM 2.0 when possible, but I'll try to install Windows 11 without a Microsoft Account. No point adding yet another security weakness if I don't have to.

How long I'll be permitted to use Windows 11 without having to open a Microsoft Account remains to be seen. I'm sure Microsoft only has my best interests at heart, with all these changes/restrictions.

I've been reading Davey Winder's security articles for decades, in an attempt to keep up-to-date with attacks, ransomware, etc.
https://happygeek.com/

In a sense this was using double negative as negating the negative. Stated in more positive terms: You should use only local accounts.

I shall continue to use Local Accounts only for as long as possible, because old Network Admin habits die hard.

I'm sure some people like the "benefits" of Microsoft Accounts, but I prefer to keep my computers as separate entities.

Each to their own.