September 25, 2021
There is no denying that password is a necessity in our digital lives. We use passwords as a critical security layer to protect our various accounts.
However, passwords are not secure in many cases for two main reasons:
Users are not good at choosing passwords, and they tend to use weak passwords for convenience. For example, they reuse the same password for different accounts.
Hackers can steal user passwords with various technologies or tools, like dictionary-attack, phishing, and rainbow table.
Security experts have long realized that using passwords to authenticate users is not good enough. They have been trying to create better methods to replace passwords.
As early as 1999, Microsoft launched the Passport authentication service to replace passwords, but it was abandoned a few years later due to its serious flaws. A decade ago, Bill Gates ever predicted that passwords would be dead soon.
Until recently, Microsoft finally started to "kill" passwords and let users remove passwords from their Microsoft accounts.
Install Microsoft Authenticator app on your phone and link it to your Microsoft account.
Sign in to your account on Microsoft website, choose "Advanced security". Under "Additional security", you'll see "Passwordless account". Select "Turn on".
Next time you sign in to your Microsoft account, you need to approve the notification on your phone. Nice!
Yes, you'd better do that for security and convenience.
Once hackers or bad guys know your password, they can sign in to your account if you use a password to log in. While if you remove your password, they need to get your phone and unlock it to approve the sign-in notification, which is much more difficult.
You cannot back up the passwordless sign-in of Microsoft Authenticator app. If your phone is broken or lost, you will not be able to approve the sign-in request.
In this case, you have to go through Microsoft identity verification process to reset your password.
One method to reset your password is to receive a security code with the backup email address or phone number. However, that means the security of your Microsoft account is no better than another email service or SMS. It does not solve the problem but changes to another problem.
The security of email and text messages may not be as good as you think.
In 2015, NetEase, email service in China, leaked over 100 million data. Check this out Wuyun exposed NetEase mailbox over 100 million data leak! Is it useful to change the password?
Some reports have shown that the SMS authentication mechanism also has serious security issues. Check this out Why You Shouldn’t Use SMS for Two-Factor Authentication (and What to Use Instead)
If you have turned on two-step verification before, you need to receive verification codes twice.
If you can't receive the security code because your email is hacked or your phone is lost, etc., continue to click "I don't have any of these".
Another method to reset a password is to enter the recovery code. But did you really write down your recovery code before? Maybe some users even don't know what the recovery code is.
If you have forgotten your recovery code, continue to click "No".
If the above two methods do not work, you have to contact Microsoft to recover your account. However, if you have previously turned on two-step verification, you can't recover your account this way.
For more details, check out How to Reset & Recover Microsoft Account.
When trying out the passwordless experience, our team also found that we sometimes could not remove the password. For example, the "Request wasn't sent" dialog kept popping up on clicking "Turn on Passwordless account".
If you have decided to remove your password, we have some suggestions for you:
If you use two mobile phones, install Microsoft Authentication app and link it to your account on all your phones, in case your phone is broken or lost.
Enable two-step verification and keep your recovery mailbox secure.
Email communication is a clear text form for email service providers, which means that a verification option of resetting passwords is held by some people you don't know. So make sure to enable two-factor verification for your account.
Set a TOTP(time-based one-time password) verification code and save it in an authenticator app that supports backup.
It is not recommended to use cloud synchronization products without end-to-end encryption, because the developer can peek at your data, which means a verification option of resetting passwords is held by some people you don't know, too. What's more, we need to figure out whether the end-to-end encryption technology used by the developer can be verified. After all, even big companies like Facebook do not do it as claimed. Check this out WhatsApp Censors User Messages, End-to-End Encryption Cannot Be Verified?. TOTP only needs time synchronization but not the network, so it is best to use a true offline app to save it.
Save the recovery code well. You can write it down on paper, then keep it at home, or store it in a password manager with a good encryption design. Check out The Evolution of Password Manager (2/4)