Microsoft now lets you log into Outlook, Skype, Xbox Live without a password

It's not yet time to laugh off data breaches, but authentication technology is advancing beyond the password-era problems.

Stephen Shankland principal writer
Stephen Shankland has been a reporter at CNET since 1998 and writes about processors, digital photography, AI, quantum computing, computer science, materials science, supercomputers, drones, browsers, 3D printing, USB, and new computing technology in general. He has a soft spot in his heart for standards groups and I/O interfaces. His first big scoop was about radioactive cat poop.
Expertise processors, semiconductors, web browsers, quantum computing, supercomputers, AI, 3D printing, drones, computer science, physics, programming, materials science, USB, UWB, Android, digital photography, science Credentials
  • I've been covering the technology industry for 24 years and was a science writer for five years before that. I've got deep expertise in microprocessors, digital photography, computer hardware and software, internet standards, web technology, and other dee
Stephen Shankland
3 min read
Yubikey's Yubico Security Key can handle U2F and FIDO2 authentication.

Yubikey's Yubico Security Key can handle U2F and FIDO2 authentication.

Stephen Shankland/CNET

You and 800 million other people now can use hardware authentication keys -- and no password at all -- to log on to Microsoft accounts used for Outlook, Office 365, OneDrive, Skype and Xbox Live.

Microsoft is using a technology called FIDO2, which employs hardware keys for the no-password logon, the company said Tuesday. New versions of Microsoft's Windows 10 operating system and Edge web browser support the technology

The hardware authentication keys plug into laptop USB ports or, for phones, use Bluetooth or NFC wireless communications to help prove who you are. Initially, they worked in combination with a password for dual-factor authentication, but FIDO2 and a related browser technology called WebAuthn expands beyond that to let the company ditch the password altogether.

Microsoft's no-password logon offers three options: the hardware key combined with Windows Hello face recognition technology or fingerprint ID; the hardware key combined with a PIN code; or a phone running the Microsoft Authenticator app. It works with Outlook.com, Office 365, Skype, OneDrive, Cortana, Microsoft Edge, Xbox Live on the PC, Mixer, the Microsoft Store, Bing and the MSN portal site.

The prospect of moving to hardware keys after decades of using just passwords may daunt you, but it's probably smart to get used to the idea now.

Passwords have been purloined from countless companies through data breaches, and the ones that are hardest to crack also happen to be the ones that are hardest to remember. Fingerprint and face authentication on phones is one important step away from old-school password-only protection, but hardware keys look likely to be another.

You might want to hold off a little before trying a dramatic change to your Microsoft account authentication, though: Since Monday, Microsoft has struggled with a multifactor authentication problem afflicting Office 365 logon.

Getting ahead by killing off passwords

Microsoft clearly believes its move beyond passwords gives it an edge over competitors. "We are declaring an end to the era of passwords," Rob Lefferts, Microsoft's corporate vice president for security, said in a September blog post. "No company lets enterprises eliminate more passwords than Microsoft."

And Alex Simons, a vice president in Microsoft's Identity Division, added another boast in a blog post Tuesday: "Microsoft Edge supports the widest array of authenticators compared to other major browsers."

Even with password managers trying to manage the chaos of dozens or hundreds of accounts, passwords are a struggle for mere mortals. Dual-factor authentication methods can increase security, typically using an authenticator apps that generate a short-lived numeric code or sending us similar codes by text message or email.

Hardware keys are coming

Hardware security keys are a variation of dual-factor or multifactor authentication, a technology that means just having an account's username and password isn't enough to log on. Hardware keys go a step farther than SMS codes and authenticator apps, too. In principle, SMS codes can be intercepted.

The hardware authentication keys got their start with technology called universal second factor (U2F) at the FIDO (Fast Identification Online) Alliance, notably through the efforts of Google and U2F hardware maker Yubico.

Google supports U2F hardware for login and indeed now sells its own key, Titan, which it credits for neutralizing phishing attacks.

Hardware-augmented logon is spreading steadily. In addition to Google and Microsoft, companies that support it in various capacities include Dropbox, Twitter, Facebook, Github, LastPass, 1Password and Dashlane.

First published Nov. 20, 9 a.m. PT.

Update, 9:27 a.m. PT: Adds that Microsoft has had problems with Office 365 multifactor authentication.

CNET's Holiday Gift Guide: The place to find the best tech gifts for 2018.

Best Black Friday 2018 deals: The best discounts we've found so far.