In a significant turn towards a passwordless future, Microsoft has announced groundbreaking strides in adopting passkeys, a secure and user-friendly alternative to traditional passwords.
With an alarming increase in password-related cyberattacks rising to 7,000 blocked password attacks per second and a 146% uptick in adversary-in-the-middle phishing attempts, Microsoft is championing a shift to passkeys to enhance security and improve user experience.
“Passkeys not only offer an improved user experience by letting you sign in faster with your face, fingerprint, or PIN, but they also aren’t susceptible to the same kinds of attacks as passwords. Plus, passkeys eliminate forgotten passwords and one-time codes and reduce support calls.” Microsoft said.
The Rise of Passkeys
Passkeys represent a transformative leap in authentication by utilizing biometric credentials such as facial recognition, fingerprints, or PINs. Unlike traditional passwords, passkeys resist phishing and brute-force attacks, eliminate the frustrations of forgotten passwords, and reduce dependency on one-time codes and support calls.
According to a Microsoft report, signing in with a passkey is three times faster than using a traditional password and eight times faster than a password combined with multifactor authentication.
Microsoft’s commitment to passkeys is part of a broader vision to eliminate passwords altogether. “Passkeys allow us to replace passwords with something faster, safer, and easier to use,” the company stated, emphasizing its goal of a phishing-resistant future.
A Journey Towards Large-Scale Adoption
The journey to popularize passkeys began in May 2024, when Microsoft enabled users to sign in to services like Xbox, Microsoft 365, and Microsoft Copilot using the new technology.
Introducing passkeys to over a billion global users required Microsoft to navigate significant challenges, including reshaping familiar user behaviors. To succeed, the tech giant adopted a three-step strategy: Starting small, experimenting, and scaling up.
Microsoft first integrated passkey enrollment into the Microsoft account settings page and sign-in options. Users were offered intuitive choices such as enrolling biometric credentials or using security keys.
This phased rollout allowed the company to gather insights and refine the user interface (UI) to ensure clarity. For example, while the term “passkey” was unfamiliar to some, associating it with familiar concepts like “face, fingerprint, or PIN” boosted comprehension.
2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide
Experiment and Improve
To accelerate adoption, Microsoft shifted from a passive to an active approach, proactively nudging users to enroll passkeys at optimal moments, such as after signing in or during a password reset.
This approach proved immensely successful, with 25% of users engaging with invitations to enroll—a figure five times higher than initial expectations.
Moreover, messaging that highlighted either speed (“Sign in faster with a passkey”) or security (“Sign in more securely with a passkey”) resonated more strongly with users than emphasizing ease of use.
With millions of users enrolled in passkeys, Microsoft has redesigned its entire sign-in experience to prioritize this method. If a passkey is available, it automatically becomes the default option, simplifying access.
Passkey enrollment is integrated into account creation for new users while existing users are prompted to adopt passkeys during key moments like password resets.
This strategic redesign has yielded remarkable results: a 10% drop in password use and a staggering 987% increase in passkey adoption. Microsoft projects that millions of users will adopt passkeys in the coming months.
Microsoft acknowledges that achieving a passwordless future involves more than just enrolling users in passkeys. As long as accounts allow both passwords and passkeys, vulnerabilities remain. The ultimate goal is to phase out passwords entirely, enabling only phishing-resistant methods for authentication.
Since 2022, Microsoft has enabled users to delete passwords from their accounts entirely, opting for secure alternatives like biometrics or physical security keys. Now, with the scalability of passkeys, the company is closer than ever to making passwords obsolete.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free