Microsoft is making a decisive move to phase out passwords by expanding its support for passkey-based authentication across its services. The shift is designed to improve both user security and sign-in experience, while pushing the broader ecosystem toward phishing-resistant methods.

For over a decade, Microsoft users have been able to log in with Windows Hello using face recognition, fingerprint, or a PIN. Today, over 99% of users sign into Windows this way. Now, Microsoft is going a step further—making passwordless sign-in the default path, especially for new accounts.

Passkeys, the new standard for passwordless authentication, work across devices, browsers, and platforms. They’re resistant to phishing and eliminate many of the risks tied to reused or weak passwords. Microsoft says this transition comes at a critical time. The company logged over 7,000 password-based attacks per second last year, largely targeting accounts still reliant on traditional credentials.

To make adoption easier, Microsoft is rolling out a streamlined sign-in and sign-up experience. New Microsoft accounts are now created without requiring a password, offering users several passkey options from the start. For those with existing accounts, it’s now possible to remove the password entirely from account settings.

The system will also automatically detect the strongest authentication method a user has set up and prompt them to use it. For example:

• If a user has both a password and a one-time code configured, they’ll be prompted to sign in using the one-time code instead.
• After logging in, they’ll be guided to enroll a passkey, which becomes the default method for future logins.

Microsoft says this layered transition not only enhances security but also reduces sign-in friction. Over time, as more users adopt passkeys, the company expects to eliminate password support altogether.

With password-based authentication remaining a key target for attackers, this marks a notable shift in how access controls are being redefined across Microsoft’s ecosystem—especially as phishing campaigns grow more sophisticated.