Microsoft won't let customers opt out of passkey push

Microsoft last week lauded the success of its efforts to convince customers to use passkeys instead of passwords, without actually quantifying that success.

The software megalith credits passkey adoption to its enrolment user experience, or UX, which owes its unspecified uptake to unavoidable passkey solicitations – sometimes referred to as "nudges."

"We're implementing logic that determines how often to show a nudge so as not to overwhelm users, but we don't let them permanently opt out of passkey invitations," explained Sangeeta Ranjit, group product manager, and Scott Bingham, principal product manager, in a blog post.

The corporation's onboarding strategy seems to suit its corporate address: One Microsoft Way.

Ranjit and Bingham describe that strategy in a post titled "Convincing a billion users to love passkeys: UX design insights from Microsoft to boost adoption and security." But they don't disclose how many customers love passkeys enough to actually use them.

They do reveal that the Windows maker's latest sign-in experience led to a 10 percent decline in password use and a 987 percent increase in passkey use. And they anticipate that given the reimagined sign-in experience, "hundreds of millions of new users will create and use passkeys over the coming months."

Microsoft did not immediately respond to a request to put a number on current passkey adoption.

It was only in May – on World Password Day no less – that Redmond made passkeys available to Microsoft consumer accounts. The biz at the time described the occasion as the culmination of a ten-year journey that began in 2015 with passwordless sign-in via Windows Hello and Windows Hello for Business.

But really the possibility of a future without passwords dates back a decade further – to 2004, when Microsoft co-founder Bill Gates predicted the death of the password at the RSA Security conference. It was wishful thinking at the time – password problems led to security breaches then, as they do today – though it now appears to be within the realm of possibility.

The Fast Identity Online Alliance (FIDO) has been pursuing the same goal since 2013. With the publication of the WebAuthn authentication standard and the development of the FIDO2 Project, tech giants Apple, Google, and Microsoft gained a common means to implement passkeys. And they've begun doing so.

• Will passkeys ever replace passwords? Can they?
• AWS is pushing ahead with MFA for privileged accounts. What that means for you ...
• Microsoft, Google do a victory lap around passkeys
• Go ahead, forget that password. Use a passkey instead, says Google

Apple introduced passkey support in iOS 16 and macOS Ventura in September 2022. Google did so shortly thereafter in Chrome and later in Android and Google Accounts. Microsoft introduced passkey support in Windows 11 version 23H2, and is starting to see more adoption thanks to its insistent UX design.

Passkeys rely on public key cryptography. When a user elects to create a passkey – or does so just to make the solicitations stop – a private key is created. That key gets stored securely on a device (such as a PC or a phone), where it's associated with the device's unlock mechanism (a biometric signal or a PIN). The corresponding public key is stored on the server for the associated application.

Thereafter, the user can log in more efficiently. Selecting an app's passkey login option prompts the server to check with the device to authenticate using the cryptographic key pair. No password entry or 2FA step is required.

The benefit of this approach is that there's no secret stored on the server that can be compromised and stolen – public keys need no protection. And each passkey is associated with a specific application, so credential reuse attacks aren't a thing.

Passkeys are not foolproof though. A compromised device might expose private keys, and a successful social engineering attack could dupe a user into creating a passkey for a malicious service.

There are also potential problems if the user loses access to a device that stores passkeys – another means of authenticating to a passkey-linked service would be required, which might involve passwords or a more involved recovery process. Also, passkey portability between credential providers (across platforms or password manager applications) is still a work in progress.

At the 11th annual FIDO Tokyo Seminar last week, the FIDO Alliance declared, "More than 15 billion online accounts can use passkeys" – which does not mean that many are actually doing so. The group also claims that Google has reported 800 million Google Accounts now use passkeys, which is up from the 400 million figure Google reported in April. The folks at FIDO further observed that Amazon introduced passkeys this year, and now has 175 million accounts using the technology.

Microsoft is apparently on its way to a billion passkey users and the eventual elimination of passwords – but hasn't revealed its progress. Given enough persistent, unavoidable passkey enrolment notifications, it's only a matter of time. ®