Microsoft Issues New Warning: Passwords to Be Phased Out for Over 1 Billion Users

The End of Passwords: Microsoft and Experts Highlight Challenges and Opportunities in a Passwordless Future

Microsoft has confirmed the era of passwords is drawing to a close, emphasizing the urgency of the shift. “Bad actors know this,” the company warns, “which is why they’re accelerating password-related attacks while they still can.” Currently, Microsoft blocks 7,000 password attacks per second—double the number from last year—but acknowledges that this is insufficient. The company’s ultimate vision? A world without passwords, replaced by more secure and user-friendly passkeys.

Passkeys, which rely on facial recognition, fingerprint scans, or PINs, offer significant advantages over traditional passwords. They are resistant to common attacks, eliminate forgotten credentials, and reduce support calls. Despite these benefits, adoption hurdles remain. The UK’s National Cyber Security Centre (NCSC) has identified key challenges, describing the transition to a passwordless future as far from straightforward.

Challenges to Widespread Passkey Adoption

1. Inconsistent User Experiences: Different “flavors” of passkeys create confusion for users and developers.
2. Device Loss Concerns: Users are uncertain about recovering passkeys after losing or breaking devices.
3. Migration Barriers: Moving passkeys between platforms or vendors is currently difficult.
4. Account Recovery Risks: Weaknesses in recovery processes could become new attack targets.
5. Platform Discrepancies: Varied terminology and inconsistent implementation deter users.
6. Household Use Cases: Shared devices complicate exclusive access to passkeys.
7. Technical Complexity: Multi-domain services may require separate passkeys, increasing friction.
8. Inconsistent Use: Some services require passkeys and additional factors, while others do not.
9. Unclear Multi-Factor Authentication Status: No consensus exists on whether passkeys alone meet multi-factor standards.
10. Syncing and Sharing Concerns: Uncertainty surrounds the security of passkeys that can be synced or shared.

Moving Forward

Organizations like FIDO Alliance and secure-by-design industries are collaborating to address these challenges. The NCSC stresses the need for intensified effort and greater collaboration to create a unified, user-friendly vision for passkeys.

Microsoft is taking a cautious approach to encourage adoption, conducting extensive user testing to optimize the enrollment process. “What would motivate a user to stop what they’re doing and enroll a passkey?” the company asks, underscoring the importance of seamless user experiences.

However, Microsoft acknowledges that the transition must be comprehensive to be effective. “If a user has both a passkey and a password, and both grant account access, the account is still at risk of phishing. Our ultimate goal is to remove passwords completely and use only phishing-resistant credentials.”

The path to a passwordless future is complex, but progress is underway. With technological innovation, industry collaboration, and user education, the transition promises to reshape online security and reduce the prevalence of attacks in the digital age.