Microsoft is removing password management and autofill from its Authenticator app, with the features being fully discontinued by August 2025. In a support document, the company announced it is consolidating this functionality within its Edge browser to streamline the user experience.
While password storage is moving, the app will continue to operate as a modern security tool, managing passkeys and generating two-factor authentication (2FA) codes. This strategic pivot aligns with Microsoft’s recent, aggressive push to transition users away from traditional passwords.
The change also serves to more deeply integrate its services with the Edge browser ecosystem, making it the central hub for user credentials on both desktop and mobile.
Edge Takes Over as Authenticator Sunsets Password Management
The company has outlined a clear, phased removal process. Starting in June 2025, users can no longer add or import new passwords into the Authenticator app. During July, the core autofill capability will cease to function, and any stored payment information will be deleted from the device.
The final deadline is August 1, 2025. After this date, all saved passwords will become inaccessible within Authenticator. Microsoft notes that saved passwords and addresses will sync to a user’s Microsoft Account, where they will remain accessible through Microsoft Edge.
However, some data requires manual intervention. The history of generated passwords—distinct from saved credentials—will not sync and will be permanently lost if not explicitly saved. Users who prefer a different password manager must export their data from Authenticator before the August deadline.
Crucially, the app’s modern authentication roles remain intact. Microsoft warns users that the app is still essential for passkey management, stating, “If you have set up Passkeys for your Microsoft Account, ensure that Authenticator remains enabled as your Passkey Provider. Disabling Authenticator will disable your passkeys.” Its function as a 2FA code generator is also unaffected, preserving its role as a core security utility.
A Strategic Pivot in the Push for a Passwordless Future
This decision follows closely on the heels of Microsoft’s major “passwordless by default” announcement on May 1st. In a move that now seems somewhat contradictory, the company had promoted Authenticator as a primary tool for setting up new, password-free consumer accounts.
At the time, Microsoft declared, “Brand new Microsoft accounts will now be ‘passwordless by default.’ New users will have several passwordless options for signing into their account and they’ll never need to enroll a password,” explicitly pointing users toward the very app whose password features it would soon dismantle. This signals a deliberate strategy to separate legacy password management from modern, phishing-resistant authentication methods like passkeys.
The move appears to be a specific step within Microsoft’s larger security strategy, heavily emphasized since its Secure Future Initiative (SFI) was announced in May 2024. That initiative was a direct response to cyberattacks and elevated security to the company’s top priority.
By consolidating passwords into Edge, Microsoft is forcing a choice: adopt its browser for credential management or manually migrate to a third-party service. This underscores the company’s commitment to making Edge a more integral part of its ecosystem.
Refocusing Authenticator on Modern Security Standards
While the removal may seem abrupt, it reflects a refocusing of the Authenticator app on its core strengths. Password management was a relatively recent addition, first introduced in late 2020, long after the app was established for strong authentication.
Recent updates have consistently bolstered its modern capabilities, signaling this strategic shift. Microsoft rolled out streamlined passkey registration and FIDO2 support in October 2024.
This was followed by updates to Windows 11’s WebAuthn APIs in November 2024, which were designed to better integrate third-party passkey managers and expand the passwordless ecosystem.
These developments suggest Microsoft sees Authenticator’s future purely as a tool for phishing-resistant identity verification, not a traditional password vault. This aligns with the broader industry shift away from vulnerable, knowledge-based credentials.
Experts have noted the security risks of maintaining hybrid systems that still allow passwords as a fallback. As Gary Longsine, CTO at IllumineX, explained in a related context, “Migrating to passkeys without fully removing password support doesn’t significantly lower risk.” By stripping passwords from Authenticator, Microsoft is simplifying the app’s security model.
