Microsoft is fundamentally changing its Authenticator app by removing its password autofill and management features, a process set to conclude by August 2025.
An updated company support document details the transition, explicitly guiding users towards the Microsoft Edge browser as the designated platform for handling saved passwords moving forward. While the password manager component, first introduced in December 2020, is being sunset, Microsoft confirmed the app will continue its other primary functions: managing modern, phishing-resistant passkeys and generating codes for two-factor authentication (2FA).
The company outlined a clear timeline for the feature removal. Starting next month, users won’t be able to save new passwords within the Authenticator app. The core autofill capability will then cease functioning during July 2025. The final deadline is August 1, 2025; after this date, “your saved passwords will no longer be accessible in Authenticator.” Microsoft’s stated rationale, involves streamlining autofill support and consolidating credential management into its Edge browser.
Edge Takes Over Passwords; Passkeys and 2FA Remain in Authenticator
While passwords managed via Authenticator sync to a user’s Microsoft Account and remain accessible through Edge, crucial distinctions exist. Payment information stored only within the Authenticator app will be deleted after July 2025 and requires manual re-entry elsewhere.
Furthermore, the history of generated passwords (distinct from saved login credentials) does not sync and will be lost if not explicitly saved. Microsoft’s support page confirms the app’s ongoing role for modern authentication: “Authenticator will continue to support passkeys.” It also cautions users, “If you have set up Passkeys for your Microsoft Account, ensure that Authenticator remains enabled as your Passkey Provider. Disabling Authenticator will disable your passkeys.” Its function as a 2FA code generator also remains unchanged.
For users who don’t wish to use Edge for password management, Microsoft provides instructions to export saved passwords from Authenticator before the August 1st deadline for use in other services. Passkeys, based on the FIDO2 standard, offer enhanced security over traditional passwords by using device-bound cryptographic keys, mitigating phishing risks.
The Move to “Passwordless” Login
This decision follows closely on the heels of Microsoft’s significant push towards passwordless options announced on May 1st for “World Passkey Day.” The company revealed that new consumer Microsoft accounts would become “passwordless by default,” explicitly guiding users towards setup using Windows Hello or the Authenticator app.
Microsoft stated, “[Brand new Microsoft accounts will now be ‘passwordless by default.’] New users will have several passwordless options for signing into their account and they’ll never need to enroll a password.”
Existing accounts were also transitioned to a “passwordless-preferred” model, defaulting to more secure sign-in methods like passkeys or Windows Hello if available – a method Microsoft noted over 99% of its Windows sign-in users already employ. The company even cited internal trials showing this preferred flow reduced password usage by over 20%.
Removing a key password feature from Authenticator shortly after promoting it as a passwordless solution could seem contradictory to users. The move means a push towards Edge, making the browser even more integrated into Microsoft’s ecosystem.
Strategic Consolidation within Broader Security Efforts
The removal appears to be a specific step within Microsoft’s larger security strategy, heavily emphasized since the Secure Future Initiative (SFI) was announced in May 2024. This initiative spurred the initial consumer passkey support. Technical developments included updates to Windows 11’s WebAuthn APIs in November 2024 to better integrate third-party passkey managers.
In the enterprise sphere, Microsoft began enforcing Authenticator passkey support for certain FIDO2 policies in January 2025, requiring organizations to implement key restrictions to opt-out.
Microsoft had also recently enhanced Authenticator’s modern capabilities, rolling out streamlined passkey registration and FIDO2 support for key apps on Android 14+ in October 2024, alongside achieving FIPS 140 compliance. Recent changes suggests the current removal targets the older password autofill system specifically, while retaining the app’s modern authentication features.
This aligns with the industry-wide shift, involving Microsoft, Google, Apple, and the FIDO Alliance, towards phishing-resistant credentials. This push is driven by the persistent threat of password attacks – which Microsoft reports at 7,000 per second – and vulnerabilities even in older MFA methods, such as a late 2024 TOTP flaw that Oasis Security noted was “dangerously low profile” as users received no alerts about brute-force attempts.
