Microsoft is taking bold steps to move users away from traditional password-based security toward a more secure authentication method called passkeys, as cyber attacks continue to surge.
The tech giant reports blocking an alarming 7,000 password attacks every second - nearly double compared to last year. Phishing attacks have also jumped by 146% year-over-year, highlighting the growing vulnerability of password-based security.
Passkeys offer enhanced protection by storing private encryption keys locally on users' devices rather than on potentially vulnerable servers. Instead of typing passwords, users can simply verify their identity through biometric methods like facial recognition or fingerprint scanning.
This new approach makes unauthorized access extremely difficult since attackers would need both physical possession of the device and the user's biometric data. As an added benefit, users no longer need to memorize, write down, or manage complex passwords.
Microsoft has gradually introduced passkey support across its ecosystem, including Xbox, Microsoft 365, and Microsoft Copilot as of May 2024. The company strategically prompts users to adopt passkeys during key interactions like account creation and password resets.
Testing revealed that marketing messages emphasizing passkeys as "more secure" and "faster" resonated well with users, achieving click-through rates of 24% and 27% respectively. The company also cleverly designed the opt-out option as "Skip for now" rather than allowing complete rejection.
Looking ahead, Microsoft aims to completely phase out passwords in favor of a passwordless experience using phishing-resistant credentials. While the transition will take time, involving steps like making passkeys the default and eventually ending password support altogether, the company's message is clear - the future of authentication lies in passkeys.
The move represents a major shift in how users will secure their digital accounts, prioritizing both enhanced security and improved user experience in an increasingly threatening cyber landscape.