No-password logon surges for Microsoft services to 150 million people

Pandemic telecommuting is pushing companies to modernize authentication.

Stephen Shankland Former Principal Writer
Stephen Shankland worked at CNET from 1998 to 2024 and wrote about processors, digital photography, AI, quantum computing, computer science, materials science, supercomputers, drones, browsers, 3D printing, USB, and new computing technology in general. He has a soft spot in his heart for standards groups and I/O interfaces. His first big scoop was about radioactive cat poop.
Expertise Processors, semiconductors, web browsers, quantum computing, supercomputers, AI, 3D printing, drones, computer science, physics, programming, materials science, USB, UWB, Android, digital photography, science. Credentials
  • Shankland covered the tech industry for more than 25 years and was a science writer for five years before that. He has deep expertise in microprocessors, digital photography, computer hardware and software, internet standards, web technology, and more.
Stephen Shankland
3 min read
Brett Pearce/CNET

Microsoft  recognized World Password Day on Thursday by touting its progress in making fallible logon technology obsolete. In the past six months, the number of people who use Microsoft's services but have dumped logon passwords has risen by half to 150 million.

What's the alternative to traditional usernames and passwords? Microsoft now offers three no-password logon options for its online services on Windows machines: a hardware security key combined with Windows Hello face recognition technology or fingerprint ID; a hardware key combined with a PIN code; or a phone running the Microsoft Authenticator app.

Most of the people who dumped passwords are among the 800 million consumers using Microsoft consumer services like Outlook.com and Skype, but a chunk of the billion people at businesses using Microsoft logon technology have also dropped the insecure practice of memorizing strings of letters, digits and special characters, says Joy Chik, Microsoft's corporate vice president for identity technology.

"It's both secure and has the best experience," she said of the reasons for moving to a passwordless authentication. Among Microsoft's 150,000 or so employees, 90% have dumped passwords for their own authentication, she added.

World Password Day, observed on Thursday, is often used to prod us into better password security practices. But with post-password technology now maturing, we have a chance to leave behind a computer authentication technology that's actually become a weak link in security.

There are plenty of password problems. Because we reuse passwords, hackers can often crack into multiple sites if they grab the credentials to one. A good password from the perspective of computer security -- long, unique and unguessable -- happens to be the hardest for humans to memorize and type. Password managers can help us cope with passwords to dozens or hundreds of online services in our lives, but they're complex.

Microsoft and allies like security key maker Yubico are banging the post-password drum. It's advice you'll hear from consulting firms like Gartner, too.

FIDO standard helps with passwordless logon

New authentication techniques like hardware security keys and biometrics enable two-factor authentication without having to remember a password. New standards like FIDO -- short for Fast Identity Online -- make it easier for device makers and websites to embrace passwordless logon. And with passwordless authentication, companies and consumers don't have to worry as much about hackers stealing troves of login data.

Hardware security keys aren't perfect -- they can get lost, too. Enrolling keys -- primary and backup at least -- is tedious at best for multiple accounts. But the technology is maturing, and it's important to balance the problems of passwordless logon with the problems we already face today, said Stina Ehrensvärd, co-founder and chief executive of Swedish company Yubico.

Yubico CEO Stina Ehrensvärd

Yubico CEO Stina Ehrensvärd


"I can lose my phone, too," she said. That's why she recommends having multiple logon options.

Better logon security has become a higher priority with so many more people telecommuting because of the coronavirus, the COVID-19 pandemic it's caused, and the widespread orders to work from home. Companies and governments are now racing to modernize logon, Ehrensvärd said.

"Things that took months now take three weeks," she said, with customers demanding overnight key shipments. Yubico has now sold more than 10 million of its Yubikey hardware security keys, a rate growing about 60% to 70% annually. "The remote workforce is pushing this new reality."

Watch this: In a world of bad passwords, a security key could be your new best friend