What's happening with passwords at Microsoft? That's the question many will be asking as a slew of password-related announcements land. Passwords are suddenly disappearing from Windows accounts. Long-since expired passwords can be used to unlock Windows accounts, and attackers are using password-spraying attacks to compromise Microsoft accounts.
The Microsoft Authenticator app has been more than just a 2FA code generator for quite some while now. Indeed, many would argue that it has been gradually positioned as the default password manager for Microsoft users. What with it able to save passwords and autofill them across both Android and iOS platforms.
But that house of password cards, dear reader, is about to come crashing down as Microsoft announces a dramatic shift in security emphasis from app to browser. Starting June 1, users of the Microsoft Authenticator app will no longer be able to save any new passwords. In July, Microsoft will phase out the use of autofill in the app, and from August, “your saved passwords will no longer be accessible in Authenticator,” Microsoft has said.
The app will continue to support passkeys, however, and Microsoft has advised that “if you have set up Passkeys for your Microsoft Account, ensure that Authenticator remains enabled as your Passkey Provider.” If you disable Authenticator, you will also disable your passkeys.
Passkey technology is not some new thing that has just appeared out of the ether, although the slow and painful journey to provider enablement and user acceptance does make it seem that way. In fact, the initiative was initially launched in 2012 with the FIDO Alliance foundation, supported by Apple, Google and Microsoft.
“Every passkey is made up of two halves: a private key and a public key,” said Katherine Holdsworth, a partner group product manager at Microsoft. “The private key is stored securely on your device, while the public key can be shared with the website you're trying to access.”
“There's no doubt about it, the password era is ending,” said Katherine Holdsworth, a partner group product manager at Microsoft. “Bad actors know it, which is why they're desperately accelerating password-related attacks while they still can.”
For Windows 11 users, this will mean being able to “navigate to a website that supports passkeys and get prompted to select how you want to save your passkeys,” said Katherine Holdsworth.
Microsoft Authenticator Was Never A Genuine Password Manager — Start Using An App That Is
Lets be honest here folks, the Microsoft Authenticator app was never a password manager in the accepted sense of the word. It was a code-generating authentication app, that's it.
You can't turn a bush into a Christmas tree just by adding tinsel. I’m sure I will ruffle a few feathers here, but purely browser-based password vaults aren’t proper password managers either.
There's no real reason for you to use your browser in this way when a dedicated password manager application can not only autofill your credentials when logging in to an account, but can also support passkeys and generate 2FA codes, thank you very much.
As someone who made the switch from a Microsoft Windows and Google Android ecosystem to the Apple one for my primary work usage a few years ago, I can heartily recommend Apple’s own Passwords app.
This supercharges existing login management provided by the iCloud Keychain, syncs across devices, generates 2FA codes and supports passkeys. It is free to use and competes very nicely with other password managers, provided you are using Apple platforms and don’t want too many additional features outside of the basic essentials of credentials management.
If you do want a bit more by way of additional feature sets and cross-platform usage, then I’d recommend 1Password, which I use with my Windows and Android devices. It’s not free, but it is feature-packed and has been a long-time player in the industry, which means you can trust your passwords and your data with it, no matter what operating system or machine you are on.