Microsoft Deadline—72 Hours To Stop Using Your Passwords
Do not leave this too late.
“The “password era is ending,” Microsoft has warned its billion users, confirming that it wants all those users to delete their passwords given that account attacks are now surging. As part of this change, a 72 hour deadline means you must act now.
On the surface, Microsoft’s decision to delete any passwords you have stored in its Authenticator app is straightforward. “You can continue to access them,” it says, “with Microsoft Edge, a secure and user-friendly AI-powered web browser.”
The Authenticator app “will continue to support passkeys,” which has been overlooked as the password deletion warning has grabbed the headlines. Microsoft doesn’t want you to move your passwords, it wants you to replace them with passkeys where you can. So don’t move your passwords, stop using them use passkeys instead.
Just as with Google’s warning to Gmail users, Amazon’s warning to Prime users, and Microsoft’s own warning to all its users, this is the time to make that change. All these major providers support passkeys, and you should add them now.
“If you have set up Passkeys for your Microsoft Account,” you must “ensure that Authenticator remains enabled as your Passkey Provider. Disabling Authenticator will disable your passkeys.” Microsoft has already killed its autofill password capability.
So while some of your passwords cannot be replaced with passkeys and need to be moved, where accounts do support passkeys, you should take this opportunity to stop using those passwords and upgrade the security on the accounts instead.
And before blindly moving passwords to Edge, you should also bear in mind the security risks in using browser-based passwords managers. A standalone app is best, ensuring a fire-gap between the websites you visit and the passwords you have saved.
“While enrolling passkeys is an important step,” Microsoft says, “it’s just the beginning. Even if we get our more than one billion users to enroll and use passkeys, if a user has both a passkey and a password, and both grant access to an account, the account is still at risk for phishing. Our ultimate goal is to remove passwords completely and have accounts that only support phishing-resistant credentials.”