Follow ZDNET: Add us as a favorite source On Google.
ZDNET Highlights
- Free Microsoft accounts can use a passkey instead of a password.
- Passwordless sign-ins are more secure and highly phishing-resistant.
- Set up multiple sign-in and recovery options before going passwordless.
These days, I am very popular in Russia, Ukraine, Moldova, Bosnia-Herzegovina and even Albania. At least, that’s what it looks like based on this list of recent attempts to sign in to my Microsoft account. (That list is available for any Microsoft account on this management page: https://account.Microsoft.comAfter signing in, click Security and then click “View my sign-in activity,”
What these attackers don’t know is that every password for this passwordless account is wrong.
Screenshot by Ed Bott/ZDNET
In my case, they are desperate hackers wasting their time. They could try every combination of letters, numbers, and symbols in every alphabet known to humanity, even if it took until the end of the universe, and they would never be able to guess my Microsoft account password.
Also: What exactly are passkeys? Simple explanation – for anyone tired of passwords
Why am I so confident? Because, long ago, I chose to make that account password-free.
The only way to access services associated with my Microsoft account is through a passkey that uses biometrics or a device PIN on my Windows PC or mobile device I’ve previously set up. If a stranger wants to sign in to my account on a new device, they have to convince me to approve that sign-in using a device I own and control. (Sorry, Ivan, I say Now! For unsolicited requests from Russia.)
Should you switch from password to passkey?
Microsoft wants you to do what I did and remove your password.
In early 2025, the company introduced a new user experience that is “optimized for a password-free and passkey-first experience.” These new features can be used with any free Microsoft account. (Administrators of Entra ID accounts that are used for Microsoft 365 business and enterprise subscriptions and to sign in to corporate networks) Remove the option for users to sign in with a password But the account password cannot be removed completely.)
Also: Best VPN Services 2025: Our Top Picks for Speed and Security
So, should you do it? For most people the answer is yes.
Removing your password dramatically increases the security of your Microsoft account and makes it far more resistant to phishing attacks. Once you remove your password, the only way to sign in to the device is to prove your identity using biometrics (fingerprint or facial recognition), a hardware security key, or a passkey associated with a syncable passkey saved in the password manager.
You also have the option to respond to push notifications on a trusted device, as shown here.
The default method for signing in to a passwordless Microsoft account is the Authenticator app on a device you own.
Screenshot by Ed Bott/ZDNET
The only technical reason not to make this change is if you use older apps or hardware devices that don’t support modern authentication methods: Office 2010 or earlier; Office for Mac 2011 or earlier; Xbox 360; Or a PC running Windows 8.1 or lower. You will also face problems if you use the Remote Desktop feature to connect to another PC using your Microsoft account.
ALSO: Windows 11 users have found a more convenient way to store passkeys – here’s how it works
Going passwordless isn’t a step you just take. With that added security comes the increased risk that you’ll lock yourself out of your account. You can reduce that risk by making sure you have multiple secure ways to access your account before removing your password.
How to change your Microsoft account password with Passkey
Before you begin, download and install the Microsoft Authenticator app on your mobile device. It is available on the App Store for iPhone and Google Play store for Android phones.
Ready to get started? let’s go. Oh and Don’t skip step 5.
Using a browser on a Windows PC or Mac, go to your Microsoft account management page https://account.Microsoft.com And sign in using your password. Click the Security tab and then click “Manage how I sign in.” This will open a page similar to the one shown here:
show more
Add at least two ways to prove who you are. An authenticator app and an email address are your best options.
Screenshot by Ed Bott/ZDNET
This is an account I created for testing purposes. It has a password, and I’ve added an email address to use for verification purposes. Note that two options under the “Additional Security” heading – Passwordless Account and Two-Step Verification – are both turned off.
Click “Add another way to sign in to your account.” This opens the page shown here:
Use the second option to set the Microsoft Authenticator app as the way to sign in.
Screenshot by Ed Bott/ZDNET
Click the middle option, “Use an app.” This gives you two options. The Microsoft Authenticator app relies on push notifications; You can also set up a classic time-based one-time password (TOTP) authenticator and generate a six-digit code that you provide upon request.
Also: 10 Passkey Survival Tips: Prepare Now for Your Passwordless Future
Click Next to display the QR code shown here:
show more
Scan this QR code to set up your Microsoft account in the Authenticator app.
Screenshot by Ed Bott/ZDNET
Open the Authenticator app on your mobile device, click the plus sign in the upper right corner and select the Personal Account option. Scan the QR code using the smartphone camera to add your new account. The result should look something like this:
After making your account password-free, the Change Password option will disappear.
Screenshot by Ed Bott/ZDNET
If you prefer to use another TOTP app, such as Authy or Google Authenticator, click “Use an App.” In the “Set up Microsoft Authenticator” dialog, select the option to set up a different authenticator app. It generates a bar code that creates a standard six-digit TOTP code that you enter when you need to authenticate.
Note that you can also use this option with Microsoft Authenticator. Choose the option to set up a separate app and then add the account to Microsoft Authenticator using the provided barcode. This will result in two entries, one that uses the information, the other that uses the TOTP code.
Your work is not done yet. To keep your account from being locked, you’ll need at least two other ways to sign in.
If your Windows PC or Mac supports biometric authentication, you can use that method to create a device-bound passkey.
Click “Add another way to sign in to your account” again and select the “Face, fingerprint, PIN, or security key” option to create a passkey that’s tied to that biometric hardware using Windows Hello with facial recognition or a fingerprint reader on a Windows PC, or an Apple iCloud Keychain passkey using Touch ID on a MacBook. You can also use this option with a USB security key.
After setting it up, you’ll sign in using a dialog like this:
show more
You can sign in to a Microsoft account using a passkey associated with Windows Hello, using your face or fingerprint
Screenshot by Ed Bott/ZDNET
If you have a PC running the latest release of Windows 11, you can also use Windows Hello to create and save passkeys for other sites and services. For most third-party sites, the passkey is an additional option you can use instead of a password, not a full replacement, as it is for a passwordless Microsoft account.
From the dialog in Step 1, select at least one of the following options as an additional sign-in method.
- Click “Email a code” to enter an alternate email address (not tied to your Microsoft account!) where you can receive a code.
- Click “Show more options” to display the option to enter a phone number where you can receive a code via SMS. In addition to your personal phone, consider adding a phone number that belongs to your spouse or partner, which gives you an additional option if your own phone is lost or stolen.
- Select “Use an app” and set up a non-Microsoft authenticator app as described in Step 2. (Consider setting up that app on a phone other than your primary phone, if possible.)
- If your password manager supports this feature, you can also create a syncable passkey that you can use on any device where you’re signed in using that software. Dashlane, 1Password, and Bitwarden all support this feature.
Also: Best Password Managers of 2025: Expert Tested
show more
This is your “in case of emergency, break the glass” option.
Go back to the “Manage how I sign in” page from Step 1 and scroll to the bottom of the page. Under the “Recovery Code” heading, click on the option to generate a new code. Print it and save the code in a safe place. Consider sending a copy via email to a trusted friend or family member who can have it handy if needed.
If all else fails, this code will ensure that you can recover your account.
show more
You don’t have to do this step right away. All passwordless options you set (Authenticator App, Passkey, etc.) will work immediately. Give yourself a week or two to make sure everything is working as expected. When you’re ready, go back to the “Manage how I sign in” page, scroll down to the “Password-less account” section, and turn on that option.
Also: I’m removing the password for Passkey for a reason – and it’s not what you think
show more
