Microsoft has altered the default setup process for new consumer Microsoft Accounts, steering users towards passwordless authentication methods from the start. This change, announced on May 1st to coincide with the first World Passkey Day, means individuals creating accounts for services like Xbox or Copilot won’t be prompted to create a traditional password.
Instead, they will be guided to use more modern methods such as Windows Hello – Microsoft’s system for face, fingerprint, or PIN login introduced about ten years ago – or the Microsoft Authenticator mobile app. This adjustment reflects Microsoft’s ongoing effort to enhance account security amid a rising tide of password-related cyber threats.
The company justifies the move by pointing to the vulnerabilities of passwords and the increasing sophistication of attacks targeting them. Microsoft’s data indicates a concerning rate of 7,000 password attacks occurring every second, more than double the frequency observed in 2023.
As a more secure alternative, Microsoft promotes passkeys, which use device-bound cryptographic key pairs instead of shared secrets, making them resistant to phishing. These are based on standards developed by industry groups like the FIDO Alliance.
Microsoft’s own metrics suggest passkeys offer a smoother user experience, claiming users are three times more successful logging in and complete the process eight times faster compared to using passwords with multi-factor authentication. Adoption appears to be growing, with Microsoft noting nearly a million passkeys are registered daily for its accounts.
New Sign-In Experience and Passwordless Preference
This passwordless-by-default approach for new accounts is coupled with a broader redesign of the sign-in and sign-up user experience. This updated interface aims for a cleaner look that inherently guides users towards more secure, password-free options.
Explaining the change for new sign-ups, Microsoft stated, “[Brand new Microsoft accounts will now be ‘passwordless by default.’] New users will have several passwordless options for signing into their account and they’ll never need to enroll a password.”
For the many existing Microsoft account holders, a “passwordless-preferred” system is being rolled out. When signing in, the interface will now default to the most secure method already set up on the account, like an enrolled passkey or a Windows Hello credential, rather than immediately asking for a password.
Microsoft notes that over 99% of users signing into Windows devices with their Microsoft account already utilize Windows Hello. If someone logs in using a less secure method, they will receive prompts encouraging them to create a passkey or learn how to manage passkeys in Windows. Furthermore, existing users wanting to fully commit can visit their account settings to delete their password entirely. The company reported that internal trials of this preferred flow led to a password usage reduction exceeding 20 percent.
A Strategy Developed Over Time
This latest step towards a password-free future is consistent with a broader security focus Microsoft articulated a year ago. In May 2024, following several cyberattacks, the company elevated security as its top priority under the Secure Future Initiative (SFI). It was as part of that initiative that initial passkey support for consumer Microsoft accounts was launched across multiple platforms.
Since then, Microsoft has continued building the necessary infrastructure. Updates to Windows 11’s WebAuthn APIs (the standard enabling passkey use in web browsers and applications) were introduced in preview builds in November 2024, specifically adding support for third-party passkey managers.
This allowed services like 1Password or Bitwarden to integrate more directly with the Windows Hello authentication system. This technical work complements efforts in the enterprise space, where Microsoft began enforcing passkey support in its Authenticator app for specific FIDO2 policies starting in January 2025.
The Broader Security Context
The emphasis on inherently stronger authentication methods like passkeys is also informed by the limitations of older techniques. Even some forms of multi-factor authentication, while better than passwords alone, aren’t immune to attack.
A critical vulnerability patched by Microsoft in late 2024 involved its implementation of Time-based One-Time Passwords (TOTP) – the common six-digit codes generated by apps. The flaw, related to insufficient attempt limits and an overly long code validity window, demonstrated how certain MFA methods could still be susceptible to brute-force guessing. Oasis Security, who discovered the flaw, noted that “account owners did not receive any alert about the massive number of consequent failed attempts, making this vulnerability and attack technique dangerously low profile.” This incident further strengthens the case for phishing-resistant cryptographic solutions like passkeys.
