Microsoft is eliminating passwords for new users by default starting in May 2025, shifting instead to passkeys and email-based one-time codes for authentication. The move comes in response to a 200% spike in cyberattacks targeting passwords, including phishing and credential stuffing.
Passwords have long been a weak link in security, with over 80% of attacks exploiting stolen or weak credentials. Vasu Jakkal, Microsoft’s corporate vice president for security, compliance, identity, and management, explained the rationale: “The traditional password is increasingly vulnerable. Passkeys offer stronger protection by removing the password entirely from the authentication process.”
Passkeys—which use public-key cryptography stored on a user’s device—will become the default for new accounts. Authentication will occur via biometrics like Windows Hello or fingerprint scans, or through a PIN. According to Microsoft, early testing showed passkey logins are three times faster than traditional password-based methods. For accounts where passkeys aren’t immediately set up, email-based one-time codes will serve as a fallback.
A Phishing-Resistant Future
The shift aligns with Microsoft’s broader push toward passwordless authentication, which began in 2021 when it first allowed users to remove passwords from their accounts. Since March 2025, the company has rolled out redesigned sign-in screens using its Fluent 2 design language, setting the stage for this latest update. The rollout now extends to over 1 billion users.
Passkeys comply with FIDO Alliance standards, ensuring cross-platform compatibility, and work across Microsoft services including Outlook, Xbox, and Microsoft 365. By storing credentials locally on devices rather than centrally, the system aims to mitigate risks associated with biometric data leaks.
What About Existing Accounts?
Existing Microsoft account holders can still use passwords, but the company is encouraging them to switch to passkeys via security settings. Options include Microsoft Authenticator, Windows Hello, or physical security keys. While Microsoft plans to eventually phase out passwords for all users, no concrete timeline has been announced.
Some concerns remain, particularly around device dependency. Losing access to a phone or biometric-enabled device could lock users out, though recovery options like email OTPs and backup codes are still available. Security experts acknowledge that while passkeys reduce phishing risks, they aren’t entirely foolproof—centralized storage of biometric data, for instance, remains a potential vulnerability.
Microsoft’s move reflects a broader industry trend toward passwordless authentication, as companies seek to balance security with convenience. Whether this marks the beginning of the end for passwords altogether remains to be seen, but for new Microsoft users, the change is already here.
- Educate employees on the authentication shift and passkey setup.
- Audit security protocols to ensure compatibility with passwordless methods.
- Monitor Microsoft’s updates for phased implementation details.
As cyber threats evolve, abandoning passwords might just be the necessary next step.