Follow ZDNET: Add us as a preferred source on Google.
ZDNET’s key takeaways
- Free Microsoft accounts can use passkeys instead of passwords.
- Passwordless sign-ins are more secure and highly phishing-resistant.
- Set up multiple sign-in and recovery options before going passwordless.
These days, I’m very popular in Russia, Ukraine, Moldova, Bosnia-Herzegovina, and even Albania. At least, that’s what it looks like based on this list of recent attempts to sign in to my Microsoft account. (That list is available for any Microsoft account at this management page: https://account.microsoft.com. After signing in, click Security and then click “View my sign-in activity.”)
What these attackers don’t know is that every password is incorrect for this passwordless account.
Screenshot by Ed Bott/ZDNET
In my case, those desperate hackers are wasting their time. They can try every combination of letters, numbers, and symbols in every alphabet known to humanity, even if it takes until the end of the universe, and they will never guess the password for my Microsoft account.
Also: What are passkeys really? The simple explanation – for anyone tired of passwords
Why am I so confident? Because, long ago, I chose the option to make that account passwordless.
The only way to access the services connected to my Microsoft account is with a passkey that uses biometrics or a device PIN on my Windows PC or a mobile device I previously set up. If some stranger wants to sign in to my account on a new device, they’ll have to convince me to approve that sign-in using a device I own and control. (Sorry, Ivan, I say nyet to unsolicited requests from Russia.)
Should you switch from password to passkey?
Microsoft wants you to do just like I did and ditch your password.
At the beginning of 2025, the company rolled out a new user experience that is “optimized for a passwordless and passkey-first experience.” These new features can be used with any free Microsoft account. (Administrators of Entra ID accounts that are used for Microsoft 365 Business and Enterprise subscriptions and to sign in to corporate networks can remove the option for users to sign in with passwords but can’t remove the account passwords completely.)
Also: Best VPN services 2025: Our top picks for speed and security
So, should you do it? For most people, the answer is yes.
Removing your password dramatically increases the security of your Microsoft account and makes it far more resistant to phishing attacks. Once you’ve removed your password, the only way to sign in to a device is by proving your identity using passkeys tied to biometrics (fingerprint or face recognition), hardware security keys, or syncable passkeys saved in a password manager.
You also have the option to respond to a push notification on a trusted device, as shown here.
The default method for signing in to a passwordless Microsoft account is with an Authenticator app on a device you own.
Screenshot by Ed Bott/ZDNET
The only technical reason not to make this change is if you use old apps or hardware devices that don’t support modern authentication methods: Office 2010 or earlier; Office for Mac 2011 or earlier; Xbox 360; or a PC running Windows 8.1 or earlier. You’ll also run into problems if you use the Remote Desktop feature to connect to another PC using your Microsoft account.
Also: Windows 11 users just got a more convenient way to store passkeys – here’s how it works
Going passwordless is not a step you take casually. Along with that extra security comes an increased risk that you’ll lock yourself out of your account. You can mitigate that risk by making sure you have multiple secure ways to access your account before you remove your password.
How to replace your Microsoft account password with a passkey
Before you begin, download and install the Microsoft Authenticator app on your mobile device. It’s available in the App Store for iPhone and in the Google Play store for Android phones.
Ready to get started? Let’s go. Oh, and do not skip step 5.
Using a browser on a Windows PC or Mac, go to your Microsoft account management page at https://account.microsoft.com and sign in using your password. Click the Security tab and then click “Manage how I sign in.” That should open a page like the one shown here:
Add at least two ways to prove who you are. An Authenticator app and an email address are your best choices.
Screenshot by Ed Bott/ZDNET
This is an account I created for test purposes. It has a password, and I’ve added an email address to be used for verification purposes. Note the two options under the “Additional security” heading — Passwordless account and two-step verification — are both off.
Click “Add another way to sign in to your account.” That opens the page shown here:
Use the second option to set up the Microsoft Authenticator app as a way to sign in.
Screenshot by Ed Bott/ZDNET
Click the middle option, “Use an app.” This gives you two choices. The Microsoft Authenticator app relies on push notifications; you can also set up a classic Time-based One-Time Password (TOTP) authenticator and generate six-digit codes you supply on request.
Also: 10 passkey survival tips: Prepare for your passwordless future now
Click Next to display a QR code like the one shown here:
Scan this QR code to set up your Microsoft account in the Authenticator app.
Screenshot by Ed Bott/ZDNET
Open the Authenticator app on your mobile device, click the plus sign in the upper right corner, and choose the Personal account option. Scan the QR code using the smartphone camera to add your new account. The result should look something like this:
After you make your account passwordless, the Change Password option will disappear.
Screenshot by Ed Bott/ZDNET
If you’d prefer to use another TOTP app, such as Authy or Google Authenticator, click “Use an app.” In the “Set up the Microsoft Authenticator” dialog, choose the option to set up a different Authenticator app. That produces a bar code that creates a standard six-digit TOTP code that you enter when you need to authenticate.
Note that you can use this option with Microsoft Authenticator as well. Choose the option to set up a different app and then add the account to Microsoft Authenticator using the supplied barcode. That will result in two entries, one that uses notifications, the other that uses TOTP codes.
You’re not done yet. To keep from being locked out of your account, you’ll need at least two other ways to sign in.
If your Windows PC or Mac supports biometric authentication, you can use that method to create a device-bound passkey.
Click “Add another way to sign in to your account” again and choose the “Face, fingerprint, PIN, or security key” option to create a passkey that’s tied to that biometric hardware, using Windows Hello with face recognition or a fingerprint reader on a Windows PC, or an Apple iCloud Keychain passkey, using Touch ID on a MacBook. You can also use this option with a USB security key.
After setting it up, you’ll sign in using a dialog like this one:
You can sign in to a Microsoft account using a passkey tied to Windows Hello, using your face or fingerprint
Screenshot by Ed Bott/ZDNET
If you have a PC running the latest release of Windows 11, you can use Windows Hello to create and save passkeys for other sites and services as well. For most third-party sites, a passkey is an additional alternative you can use instead of a password, not a complete replacement as it is for a passwordless Microsoft account.
From the dialog in step 1, choose at least one of the following options as an additional sign-in method.
- Click “Email a code” to enter an alternate email address (not the one tied to your Microsoft account!) where you can receive a code.
- Click “Show more options” to display the option to enter a phone number where you can receive a code via SMS. In addition to your personal phone, consider adding a phone number that belongs to your spouse or partner, which gives you an extra alternative if your own phone is lost or stolen.
- Select “Use an app” and set up a non-Microsoft authenticator app as described in step 2. (Consider setting up that app on a phone other than your primary phone, if possible.)
- If your password manager supports this feature, you can also create a syncable passkey that you can use on any device where you’re signed in using that software. Dashlane, 1Password, and Bitwarden all support this feature.
Also: The best password managers of 2025: Expert tested
This is your “In case of emergency, break glass” option.
Go back to the “Manage how I sign in” page from step 1 and scroll all the way to the bottom of the page. Under the “Recovery code” heading, click the option to generate a new code. Print it out and save the code in a safe location. Consider sending a copy via email to a trusted friend or family member who can stash it away in case you need it.
If all else fails, this code will make certain that you can recover your account.
You don’t have to do this step right away. All of the passwordless options you set up (Authenticator app, passkeys, and so on) will work right away. Give yourself a week or two to make sure everything’s working as expected. When you’re ready, go back to the “Manage how I sign in” page, scroll to the “Passwordless account” section, and turn that option on.
Also: I’m ditching passwords for passkeys for one reason – and it’s not what you think
