How to set up a security key for your Microsoft Account
Microsoft introduced password-less sign-in functionality in the Microsoft Edge browser in the October 2018 Update for Windows 10.
The new security feature unlocks options to sign in to Microsoft services without having to enter a password; the functionality is restricted to Microsoft Edge currently and to services by Microsoft such as OneDrive, the Microsoft Store, Outlook, or Skype.
Microsoft Edge supports two main password-less authentication methods: Windows Hello or FIDO2-based.
Windows Hello is not a new service; Windows 10 users may use it to sign in to their accounts on devices running Windows 10. Support is extended to Microsoft Edge in Windows 10 version 1809 to enable password-less sign-ins using Windows Hello.
Microsoft added support for FIDO2-based security keys in the new feature update as well. Windows users may use a security key, e.g. from Yubico or Feitian Technology, to sign-in to Microsoft Accounts in Microsoft Edge. The list of features that security keys need to support is listed on the Microsoft Docs website.
FIDO2-based security keys may be plugged into USB ports of Windows 10 devices.
Setting up the new authentication options
Information on setting up a security key or Windows Hello to sign-in to Microsoft services in Microsoft Edge is not provided by Microsoft in the announcement itself on the Windows blog, but you find instructions on the Microsoft 365 blog.
Here is how you set up the new security feature:
- Open the following link in Microsoft Edge: https://account.live.com/proofs/manage/additional?mkt=en-US&refd=account.microsoft.com&refp=security
- Note: you can open the link in another browser but may get the message that "Your browser or operating system does not support this".
- You may be asked to sign in to your Microsoft Account.
- Scroll down to the Windows Hello and security keys section on the page.
- Select "Set up a security key" if you want to use a FIDO2-based security key for sign-ins using Edge.
- Select "Set up Windows Hello" if you want to use Windows Hello for that instead.
- You may be asked to sign in to the Microsoft Account (again).
- Follow the instructions from this point forward to set up your preferred sign in method in Edge.
Microsoft displays instructions on the next page. If you selected to set up a security key, Microsoft explains that you either need to plug it in and press the gold circle on the device if it is connected via USB, or hold it close to the NFC reader and press the gold circle button if it is using NFC.
Connect the security key when asked to do so and follow the on-screen instructions to complete setup. You may use the new authentication method from that moment on when signing in to Microsoft services using the Edge browser.
When you sign-in the next time in Microsoft Edge, select More Options > Use a security key to use it to sign-in.
Closing Words
Microsoft believes that the password era is coming to an end and that password-less authentication methods such as Windows Hello or by using security keys are the way to go forward.
The functionality is quite limited at this point in time as it supports only Microsoft online services and requires that users use Microsoft Edge.
Some password managers, for example Last Pass, support security keys as well. We reviewed the first Yubico device in 2010.
Microsoft plans to introduce the same authentication functionality for work and school accounts in Azure Active Directory next year.
Now You: what is your preferred sign-in method?
Previous Post: « Running Windows 7 or Server 2008? You will need this patch!
Next Post: Microsoft blocks Windows 10 version 1809 for PCs with Intel display drivers »
What a load of rubbish! It’s just one more way to gather data on you, and introduce pointless features – in a pointless browser that almost nobody uses – instead of concentrating on security and stability, and the important basics.
No thanks.
The main issue that I see is that it is quite limiting: you need to use Edge and it works only with your Microsoft Account.
Microsoft and the word SECURITY shouldn’t be used in the same sentence……
Nonsense. Using a Yubico to send a onetime password that changes minute to minute is exactly the same tracking risk as sending a password that changes once a month (or less frequently). This is only for authenticating to Microsoft sites, so it’s not like it’s spreading your presence around either.
The only disappointing part is that it’s Edge only.
MS could encourage sites to use tagging scripts, similar to FB ‘Likes”, which would allow MS to associate browsing history with very high accuracy.
That risk exists completely independently of passwordless authentication.
You probably DO NOT want to involve microsoft in anything security access related.
If you need to log in to Microsoft, for instance because your team uses Visual Studio Team Services, then you have to authenticate to them. Using a Yubico instead of a password means that to impersonate you someone needs to steal a physical item instead of just watch you type.
@Ross Presser: “If you need to log in to Microsoft, for instance because your team uses Visual Studio Team Services, then you have to authenticate to them”
If my workplace requires me to use a Microsoft account, then it’s up to my employer to set the authentication requirements, and I’ll just use whatever method they require. No skin off my nose either way — it’s my employer’s account and business, not mine.
For my own personal purposes, I literally cannot think of any reason why I’d have a Microsoft account in the first place.
Now Microsoft only has to make a stable OS to support this tech. “Support extended to 1809” – I don’t remember 1809 getting released.
Cams with face recognition software everywhere we go, for commercial exploitation or directly connected to the police, are the near future. People are not yet ready for legally enforced fingerprinting and face scanning of the whole population, but Microsoft and friends will make this nightmare happen sooner than expected with biometric identification. The usual ones will object that this dystopic problem has to be weighted against the convenience of not having to remember a password.
It’s not the first time I hear Microsoft saying that passwords are going away. They say the same thing every few years.
“what is your preferred sign-in method?”
I prefer passwords. I am much more rigorous about how I use passwords than most people are willing to be, which makes them a better option for me than any of the alternate authentication schemes that I’m aware of.
@John – my feelings entirely the same as yours. I am also willing to be more rigorous than most, and far prefer a password.
Also, my webmail provider (I also use a Client for it) is trying to push other forms of authentication, including SMS. Trouble is, if they do that (and force it), then I will never be able to login, as there is next to no cell phone signal where I live. I would literally have to drive up the road to get the code. By the time I get back, it probably will have expired.
Why do humans constantly feel the need to over-complicate things? They are dumbing down for the masses, that’s why. Those of us that administer things well, don’t need over complications!!
It’s sad that Microsoft does not allow this feature especially using the Yubikey from Chrome especially for those using a Mac and not a Windows based laptop instead of forcing users to use Edge.