Microsoft Wants to Kill Passwords, Starting with Windows 10

Megalith

24-bit/48kHz
Staff member
Joined
Aug 20, 2006
Messages
13,000
Back in May, Microsoft shared their vision of a world without passwords, and the company is already on its way to making that a reality in the next version of Windows 10: the latest Insider Build supports password-less accounts, which allows users to sign in using their phone and texted codes instead of a traditional passphrase. Users are only asked to re-enter a code if they sign in on a new PC.

You can now create a Microsoft account without a password. Instead, you just provide your phone number. When you sign into Windows 10 with that phone number, Microsoft will text you a code that you enter on the sign-in screen. After that, you can use Windows Hello to set up a PIN, fingerprint, or face login method. You never have to type a password—your account doesn’t even have one!
 
For a remote connection to work I have to enter my username and password to get redirected to microsoft. I enter my password again then I have to go to a two phase lookup that requires a phone call or a connection to an android app. Then I enter my password again. And finally when connected to a site I need to yet again enter the same password for some of the links. If it was not for password utilities I would go nuts..
 
This is scary, I don't have a cell phone. Anyway, giving someone your cellphone number is also easy way how to find your home address.

This stuff has serious privacy issues. (Well you can use phone of people you visit when you activate youtube upload...)
 
Instead of trying to kill off the password, microsoft should work towards passwords that are made up of a bunch of random words.

No one is going to guess my password is GoldTurnHorseAnvil
 
I've used the MS authenticator SMS system before. It works darn well. Well until that one time when the MS authentication servers went down and it all came crashing down... Yeah I remember that day..... You need to authenticate Windows....
 
Honestly, I think this has greater implications, like buying a license per human rather than buying the OS itself with maybe a trans phase of eventually making people subscribe monthly for access to their accounts. It more than seems like with office and the current ecosystem as well as trends within the company that we may be heading down that path.
 
Honestly, I think this has greater implications, like buying a license per human rather than buying the OS itself with maybe a trans phase of eventually making people subscribe monthly for access to their accounts. It more than seems like with office and the current ecosystem as well as trends within the company that we may be heading down that path.
Not just scraping and selling consumer data, but also verifying and proving its authenticity is becoming big business. i.e. Ad revenue services provide real-time updates to vendors of which sites you are logged into. So it makes sense that Microsoft would want to corroborate identity and activity in real-time across multiple devices. It's potentially worth more than the software licence in the long term.
 
Not just scraping and selling consumer data, but also verifying and proving its authenticity is becoming big business. i.e. Ad revenue services provide real-time updates to vendors of which sites you are logged into. So it makes sense that Microsoft would want to corroborate identity and activity in real-time across multiple devices. It's potentially worth more than the software licence in the long term.

Agreed, but the law itself in many countries has yet to catch up with current technologies and business models, I have this great feeling like eventually that data must be anonymous and agnostic data that has zero PII will be regulated because at some point personal data laws will be constructed due to liability for breaches that is costing the country millions if not billions.
 
My company uses this type of 2 factor authentication from Microsoft. Everytime I sign into my company email or entering my time for work I get spammed with text messages with the confirmation code. Extremely annoying system.

The cell phone has changed our world exponentially. Not all of it for the better.
 
OMG :shifty: SMS has been depricated for use as a form of 2FA for a reason. Also, it's not clear in the article that this is for local accounts, only Microsoft Accounts, which to me is bad for those who are trying to log on while on public networks that have portal pages where you land first. I have a portal page set up that you have to agree to our terms first before you're allowed through but those who use Microsoft accounts to log into windows can't log in because they can't get past the portal page to ACTUALLY LOG IN :confused: And their Authenticator app is trash. I don't see them allowing support for Google's anytime soon also.

Lastly, as far as I'm concerned SQRL is the way to go for passwordless site authentication


https://www.grc.com/sqrl/sqrl.htm
 
Well we all know how reliable cell phone numbers are at identifying people. It's not like you can just steal them out from under people or spoof them with cloned burners
 
After that, you can use Windows Hello to set up a PIN, fingerprint, or face login method. You never have to type a password—your account doesn’t even have one

How in the hell is a PIN not a password? Its just generally numbers and a smaller amount than many passwords. On top of that, it assumes ones cell phone is secure. Insert Bender "you're serious" gif here.
 
Didn't I just see two factor authentication is not secure either. A PC as a Christmas present insisted on windows setting a PIN after sending a code to the cell phone. I am doubtful, but it seems everyone wants to go this way. Not just MS.
 
Using just SMS for authentication seems like a terrible idea. As we have seen several times in the past year just how easy it is to execute a port out.
 
  • Like
Reactions: DPI
like this
Honestly, I think this has greater implications, like buying a license per human rather than buying the OS itself with maybe a trans phase of eventually making people subscribe monthly for access to their accounts. It more than seems like with office and the current ecosystem as well as trends within the company that we may be heading down that path.

But Microsoft is NEVER making Windows a subscription. Somebody here on the forum told me that many times, most recently in the comments to an article about Microsoft developing a Windows subscription.
 
I've been like that on Google for several years now. They just send me a message with a check in click, on my phone. I like it..
 
This is a ploy to gather even more information about you, now from your mobile.
The world is their oyster.
 
  • Like
Reactions: DPI
like this
This is a ploy to gather even more information about you, now from your mobile.
The world is their oyster.

Ding ding ding!

MS doesn't actually care about security or making customers lives better or really innovating anything - this is just more trying to ride Android and iPhone coattails and get their hooks into phones to siphon data any way they can, since they failed at their own so spectacularly.

No thanks.
 
Last edited:
But Microsoft is NEVER making Windows a subscription. Somebody here on the forum told me that many times, most recently in the comments to an article about Microsoft developing a Windows subscription.

Microsoft can try making it a sub, the problem is it will never fly with customers, before even I would have said that, the problem is now it's different Microsoft barely has staff working in the OS division and is more working on information sevices and alternative projects for a revenue stream they have 86% of the OS marketshare with no real competitors.

In reality I can see Microsoft offering the OS for a price or pay a sub for access, because I can 100% guarantee Enterprise will never go for this.
 
But Microsoft is NEVER making Windows a subscription. Somebody here on the forum told me that many times, most recently in the comments to an article about Microsoft developing a Windows subscription.

A few years ago, I would have agreed partially that it could go to a subscription model. But with their recent stuff, their adoption of open-source, and change of attitude towards Linux, it may just as easily go towards a "pay for support" model like a lot of Linux distributions do. I could see a "freemium" tier of the OS where it's free, but to get support, you have to pay and you can't turn off telemetry. They'd make up the license revenue with targeted ads, premium app placement, and other items.

What I don't like is locking a lot of features behind so many different SKUs with limitations. It's a nuisance. If I want Enterprise, let me buy Enterprise.
 
My company uses this type of 2 factor authentication from Microsoft. Everytime I sign into my company email or entering my time for work I get spammed with text messages with the confirmation code. Extremely annoying system.

The cell phone has changed our world exponentially. Not all of it for the better.
I don't use a phone service and hate when sites like Twitter or Facebook require a phone number to verify it's not a spam account.
 
Microsoft Wants to Kill Passwords, Starting with Windows 10

Well they've already killed the desktop os, killing passwords should be a cinch.

No one is going to guess my password is GoldTurnHorseAnvil
But they'd easily guess [^WdGxh&7wcm!kQ286r+ ???
 
Wish Google would let us use 2fa keys but in normal mode (the higher hardened mode has to many limits, all I want is to be able to not use sms and email as an account recovery method as both are insecure and bypasses my 2fa yes/no login or 2fa codes)

Be nice if Google would follow ms with no password sign in (unlock phone to use ms authenticator to press yes no) as I have to use email password then yea/no if 2fa is enabled (if yes no is only enabled I can use yes no)
 
Why is a 4-digit PIN more secure than a 10+ character complex password?

Because it gives Microsoft more access to your personally identifiable information and location info for marketing purposes.
 
I don't get it. Getting to a phone just takes longer. Get up, find phone, get phone. Unlock phone. Wait for message. Sometimes it can take 3 minutes to 12 hours to get a message. At this point most people will just turn off any kind of protection making the entire point moot.
 
  • Like
Reactions: mord
like this
each person's DNA is unique to that person. What we need is a small device made by Microsoft and each time a password code is needed we just spit at the device
 
Microsoft defines security!!!! If only they knew what it means.
 
each person's DNA is unique to that person. What we need is a small device made by Microsoft and each time a password code is needed we just spit at the device

Just don't kiss anyone goodbye before trying to sign in.

Seems like a lot of the alternatives to passwords involve extra steps that can go wrong. Instead try NOT forcing an email address as your account name? An account name of say AmberHorseKicksCat and a password of DeadBatterySucksBigtime will take a brute force approach a long time to crack.

When many database breeches provide lists of valid email addresses, it becomes fairly trivial to use that list matched with the top 10 list of passwords against sites that mandate account name = email address.
 
This is scary, I don't have a cell phone. Anyway, giving someone your cellphone number is also easy way how to find your home address.

This stuff has serious privacy issues. (Well you can use phone of people you visit when you activate youtube upload...)


I cannot help but ask, who in this day and age in a western world does not have a cellphone? And I mean ANY cellphone, even a dumb call and text phone which is all this system needs? And for what reason?
 
ITs incredibly frustrating that we continue to be tied to phone numbers. I dont want a phone number, period, i have no need for one other than these stupid authentication schemes.
 
i42TkmB.jpg
 
My company uses this type of 2 factor authentication from Microsoft. Everytime I sign into my company email or entering my time for work I get spammed with text messages with the confirmation code. Extremely annoying system.

The cell phone has changed our world exponentially. Not all of it for the better.

Why aren't you using the MS authentication app. You just click "approve" and you don't even have to enter anything.
 
Back
Top