Microsoft Touts New Phone-Based Login Mechanism

Microsoft announced this week its giving users a new way to sign into their accounts without long and complicated passwords.

It likely won’t mark the death knell of passwords but Microsoft announced this week its giving users a new way to sign into their accounts without having to enter a lengthy combination of numbers, letters and characters.

The feature, which relies on users having access to their mobile phones, is based around Microsoft Authenticator, a two-factor authentication app the company announced last July and released last August.

The feature isn’t so much two-factor as it is one-factor, however.

To use it, users are encouraged to add their account to either the Android or iOS version of the app. When a user goes to sign into a Microsoft accounts property they’ll be prompted on their device. Since the user has already entered their password in the Authenticator, it’s not needed. Instead all the user needs to do is unlock their phone, tap “Approve,” and they’re granted access.

Alex Simons, the director of the company’s Identity Division announced the news in a blog post Tuesday morning.

If a user misplaces, loses, or has changed their device, they can choose to log in with their password on the confirmation page, Simons says.

For now the feature is only available on iOS and Android devices. Ironically the feature is not yet available for Microsoft Authenticator for the Windows Phone. The company claims users of that version of the app comprise less than five percent of all active users. If those numbers change Microsoft says it will add support later down the line.

The idea of having users rely on their devices for an extra layer of security has been catching on as of late.

Yahoo unveiled a similar tool, Account Key, for the company’s mobile apps last year. The company said at the time the mechanism was part of its aim to usher in a “password-free future.” The app displays a push notification when a user attempt to login to one of their services. From there the user taps through to login.

Facebook added a feature in January that lets users tie a physical security key instead of a device to their accounts.

Unlike Microsoft’s feature, users still need their passwords to login to the social network. After doing so they’re instructed to tap on a security key, like Yubico’s YubiKey, to verify their identity.

Experts, like Tadd Axon, Microsoft Services Practice Lead at the IT consulting firm Softchoice, still believe that passwords aren’t going anywhere but think that tools like Microsoft’s Authenticator can help limit their usage.

“The new functionality in the Authenticator app to use biometrics (in the form of fingerprints from Apple’s Touch ID), one time codes, and even approvals for a notification from the app (on unlocked phones only, naturally) is a significant improvement over password-only authentication,” Axon told Threatpost Wednesday. “I view this as a big win for the average user: less reliance on just passwords to protect their identity, an easier sign-on experience, and it makes it measurably more difficult for a bad actor to compromise an account – even if they have the password.”

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.