Is your Microsoft account passwordless yet? Why it (probably) should be and how to do it right

These days, I’m very popular in Russia, Ukraine, Moldova, Bosnia-Herzegovina, and even Albania. At least, that’s what it looks like based on this list of recent attempts to sign in to my Microsoft account:

If you’re curious about who’s trying to sign in to your Microsoft account, go to this management page: https://account.microsoft.com. After signing in, click Security and “View my sign-in activity.”

In my case, those desperate hackers are wasting their time. They can try every combination of letters, numbers, and symbols in every alphabet known to humanity, even if it takes until the end of the universe, and they will never guess the password for my Microsoft account.

Also: 10 passkey survival tips: Prepare for your passwordless future now

Why am I so confident? Because, long ago, I chose the option to make that account passwordless. If some stranger wants to sign in to my account on a new device, they’ll have to convince me to approve that sign-in using a device I’ve already set up. (Sorry, Ivan, I say nyet to unsolicited requests from Russia.)

Should you go passwordless?

Microsoft wants you to do just like I did and ditch your password. This month, the company rolled out a new user experience that is “optimized for a passwordless and passkey-first experience.”

Also: The best VPN services (and how to choose the right one for you)

So, should you do it? For most people, the answer is yes. Removing your password dramatically increases the security of your Microsoft account and makes it far more resistant to phishing attacks. Once you’ve removed your password, the only way to sign in to a device is by proving your identity using biometrics (fingerprint or face recognition), hardware security keys, syncable passkeys saved in a password manager, or by responding to a push notification on a trusted device, as shown here.

The only technical reason not to make this change is if you use old apps or hardware devices that don’t support modern authentication methods: Office 2010 or earlier; Office for Mac 2011 or earlier; Xbox 360; or a PC running Windows 8.1 or earlier. You’ll also run into problems if you use the Remote Desktop feature to connect to another PC using your Microsoft account.

Going passwordless is not a step you take casually. Along with that extra security comes an increased risk that you’ll lock yourself out of your account. You can mitigate that risk by making sure you have multiple secure ways to access your account before you remove your password.

Ready to get started? Let’s go.

Step 1: Check your current security settings

Go to your Microsoft account management page at https://account.microsoft.com and sign in using your password. Click the Security tab and then click “Manage how I sign in.” That should open a page like the one shown here:

This is an account I created for test purposes. It has a password, and I’ve added an email address to be used for verification purposes. Note the two options under the “Additional security” heading — Passwordless account and Two-step verification — are both off.

Click “Add a new way to sign in or verify.” That opens the page shown here:

Step 2: Set up the Microsoft Authenticator app on your mobile device

Click the middle option, “Use an app.” If necessary, download and install the Microsoft Authenticator app on your mobile device and then click Next to display a QR code like the one shown here:

Open the Authenticator app on your mobile device, click the plus sign, and scan the QR code using the smartphone camera to add your new account. The result should look something like this:

Step 3: Set up at least two other ways to sign in

The Authenticator app provides an easy way to sign in without a password. But what happens if you lose your phone? That’s when you need an alternative sign-in method. If you have two-step verification set up, you’ll need two factors.

• Click “Email a code” to enter an alternate email address.
• Click “Show more options” to display the option to enter a phone number where you can receive a code via SMS. In addition to your personal phone, consider adding the phone number that belongs to your spouse or partner, which gives you an extra alternative if your own phone is lost or stolen.
• Choose the “Face, fingerprint, PIN, or security key” option to create a hardware-based passkey, using Windows Hello with face recognition or a fingerprint reader on a Windows PC, or an Apple iCloud Keychain passkey, using Touch ID on a MacBook. You can also use this option with a USB security key.
• If your password manager supports this feature, you can create a passkey that syncs between devices. Dashlane, 1Password, and Bitwarden all support passkeys.

Step 4: Create a recovery code and save it in a secure location

Do not skip this step! This is your “In case of emergency, break glass” option.

Go back to the “Manage how I sign in” page from Step 1 and scroll all the way to the bottom of the page. Under the “Recovery code” heading, click the option to generate a new code. Print it out and save the code in a safe location. Maybe consider sending a copy to a trusted family member who can stash it away in case you need it.

Also: If we want a passwordless future, let’s get our passkey story straight

If all else fails, this code will make certain that you can recover your account. 

Step 5: Turn on the passwordless option

You don’t have to do this step right away. All of the passwordless options you set up (Authenticator app, passkeys, and so on) will work right away. Give yourself a week or two to make sure everything’s working as expected. When you’re ready, go back to the “Manage how I sign in” page, scroll to the “Passwordless account” section, and turn that option on.