Microsoft is rolling out significant changes to its Authenticator app, shifting away from traditional passwords in favor of more secure passkeys, a move that began this month and will continue through next month.
The most substantial change is set for next month, when all saved passwords will be removed from the Authenticator app. Users will then be required to exclusively utilize passkeys, which leverage authentication methods such as a PIN, fingerprint, or facial recognition. This transition is part of a broader industry trend towards enhanced digital security. Attila Tomaschek, CNET’s software senior writer and digital security expert, underscores the enhanced security offered by passkeys, stating that they present a significantly safer alternative to the current risky password habits prevalent among users.
A recent CNET survey revealed that a concerning 49% of U.S. adults engage in such insecure practices. Tomaschek elaborated, “Passwords can be cracked, whereas passkeys need both the public and the locally stored private key to authenticate users, which can help mitigate risks like falling victim to phishing and brute-force or credential-stuffing attacks.” This robust authentication mechanism is designed to provide a more resilient defense against cyber threats that commonly target weak or reused passwords.
The convenience of using the same password across multiple accounts or incorporating personal hints for easier recall introduces substantial vulnerabilities. Such practices dramatically heighten the risk of falling victim to scammers, identity theft, and financial fraud. Microsoft’s plan is designed to mitigate these prevalent risks by eliminating the reliance on traditional passwords.
The Microsoft Authenticator app currently serves as a central hub for housing passwords and facilitating logins to Microsoft accounts via PIN, facial recognition (like Windows Hello), or other biometric data such as fingerprints. Beyond merely storing credentials, the Authenticator can also verify logins if a password is forgotten or provide an essential extra layer of security through two-factor authentication for Microsoft accounts.
Microsoft ceased allowing users to add new passwords to Authenticator in June. According to Microsoft’s timeline, further changes are imminent. By July 2025, the autofill password function will be entirely disabled. Subsequently, in August 2025, users will completely lose access to any saved passwords within the app.
For those who prefer to continue using passwords despite these changes, Microsoft Edge remains an option for password storage. However, CNET experts strongly advise adopting passkeys during this transitional period, citing their superior security attributes. Tomaschek further explained, “Passkeys use public key cryptography to authenticate users, rather than relying on users themselves creating their own (often weak or reused) passwords to access their online accounts.” This fundamental difference makes passkeys inherently more secure.
A passkey, a credential developed by the Fast Identity Online Alliance, authenticates user identity and grants account access using biometric data or a PIN. This method, exemplified by using a fingerprint or Face ID to log in, is inherently safer than relying on passwords that are susceptible to guessing or phishing attacks. Unlike passwords, which are often stored on servers, passkeys are stored exclusively on the user’s personal device, enhancing security and eliminating the need for users to remember complex passwords or rely on password managers for everyday logins.
Setting up a passkey in Microsoft Authenticator is designed to be straightforward. In a May 1 blog post, Microsoft stated that the system would automatically detect and suggest the most suitable passkey setup as the default sign-in option. The process involves a prompt to sign in with a one-time code if a password and one-time code are already configured. Following a successful login, users will be prompted to enroll a passkey, which will then become the default sign-in method for subsequent access. To manually set up a new passkey, users can open the Authenticator app on their phone, tap on their account, select “Set up a passkey,” and then follow the prompts to log in with existing credentials to complete the setup.
