Sign-in to Windows 10 with password-less accounts
Microsoft introduced an option in the most recent Windows 10 Home Insider Build to sign-in to Windows with password-less accounts.
Today, we’re announcing support for setting up and signing in to Windows with a phone number account, without having to create, or deal with the hassle of a password!
Passwords are certainly one of the Achilles Heels of account security; a recent study of leaked passwords in 2018 showed that Internet users still use pretty much the same insecure passwords that they used five years ago.
Weak passwords are not only the user's fault; companies shy away from imposing too restrictive password setting rules.
Users who sign up for a Microsoft Account need to assign a password to it. While it is theoretically possible to create a local Windows account without a password and even configure Windows for automatic login, all Windows accounts that are Microsoft Accounts require a password as well; this may change with Windows 10 version 1903 as Microsoft introduced a new option to recent Insider Builds.
Password Less sign-in
One option that Windows 10 users have in the future is to sign-in to Windows using different means. Authentication is still required considering that it identifies whether the user is authorized to sign-in.
Instead of using a password to set up an account on a Windows device, users may create an account using a mobile phone if they have linked it to a Microsoft Account.
Windows would send a SMS code to the linked device which the user would then use to sign-in and create the account. The user would then have to use another sign-in method to access the account going forward.
Microsoft notes that the user may use Facial, Fingerprint, or PIN identification to sign-in to the account.
The process may take away the need to set up an account password but it does not do away with the authentication process itself. Depending on the device, all that is available is PIN authentication.
Windows 10 users may assign a PIN to an account to sign-in to the account; a PIN may even be a requirement if you create a new account on a Windows 10 device.
Right now, it is necessary to create a password-less phone number account in a mobile application such as Word. Users just need to type the phone number and follow instructions to create such an account.
On Windows 10, users would have to add the account under Settings > Accounts > Family & other Users > Add someone else to this PC to add the "new" account to the device.
The phone number account should be selectable during sign-in or user switching at this point in time. The user would have to select "sign-in options" and there Sign-in on the PIN tile. This launches the Windows Hello setup to set up one of the required authentication options for the account.
Closing Words
Setup is not straightforward at this point in time; some might say it is complicated. A regular account is required at this point in time to set up Windows on a device. Consecutive accounts can be password-less provided that the user has a mobile device and linked it to a Microsoft Account.
The user would still have to remember a PIN and use it to sign in if Face or Fingerprint authentication is not available on the device.
It remains to be seen if the process is optimized in future builds.
Now You: What is your take on password-less sign-ins?
@Martin Brinkmann
I was right about Microsoft making passwordless phone accounts for windows 10 account mandatory. I don’t know what the folks at Microsoft were smoking. I think I might go with chromebooks or linux instead of going with Microshaft.
A good number of people will be locked out of their own computers, after the windows 10 May 2019 update. If I were at Microsoft, I would use a simple method, such as a pin without a mobile phone. To get rid of passwords, I would go with five to seven number PIN to create an account. And start rolling out choices for securing the desktop/laptop. Déjà vu all over again, with windows 10 July free upgrade debacle, that froze computers.
Oh yeah, don’t forget about Microsoft Word AI. Some months ago, one dude at Microsoft over the phone confirmed that they are securing the computer via SMS text. I just remembered about that, I asked him, if MS authenticator is feasible. He said, it would be SMS text. And we the other majority know that SMS text is unreliable at times.
As society in general, we became lazy, not just the password front on other things.
I find it fascinating how many people condemn this technology without understanding anything about it – or the authentication process. Or the concept of password derivatives, like hashes.
Using a password-free account means that there is no password or derivatives stored anywhere – not with the service provider, not on the device (SAM/Shadow), not in memory, Not Anywhere.
This means your account cannot be phished (or have its password maliciously reset), your credentials cannot be replayed, and your account cannot be taken-over without physical possession. This means No More Remote Attacks (at least without using rare and expensive zero-day malware).
This technology, which is built around the FIDO2 specification, is by far the greatest improvement in computer security since public key encryption was invented in the 1970s (which ironically forms the foundation for the FIDO2 suite of protocols).
A word to the wise: Anyone who actually cares about their security should investigate this technology before dismissing it and making baseless accusations about privacy invasion. If you use any form of internet-connected computer, which includes mobile devices, you have already willingly chosen to completely give up your privacy. Maybe you should investigate how to protect the data that exists on these devices, instead of attacking the companies that spend Billions of dollars inventing ways to protect You. This new ‘Password-less Account’ is, by far, the best option available to end-users. It makes account compromise several orders of magnitude more difficult – nearly impossible.
Do a web search for the Microsoft whitepaper “An overview of password-less authentication”.
Why not use use OTP generated locally? lol
@Barry @John C.
I just wanted to chime in to say how “greatly” I agree with what both of you have said, and how much you feel it. Massive agreement here.
Why in the WORLD should I have to “log in” to my own computer when I’m the only person using it and the only person who lives in this house? This further raping of my privacy, along with forced, unexplained updates, hardened IP addresses being used for telemetry and a totally messed up UI is further reason that I’ll avoid Windows 10. As for any other M$ product like “Word”, well, I’ve never used them and never will.
Me from December 22, 2018 at 3:54 pm
I would like to add that SIM cards including e-SIM the integrated sim card can and will be spoofed. not to mention that mobile phones can and will be confiscated either by border agents/custom agents. Plus I suspect that it’s a simple ploy to track people, under a guise of convenience. If it’s optional at first, how long it would be before it becomes mandatory. You don’t have a mobile phone, too bad you can finish setting up your computer. The thought of that just grinds my gears.
My mobile doesn’t receive text from Microsoft and from my bank how many times that I tried. Prepaid network carriers don’t have premium SMS, only major network carriers. And not all cellular network carriers are a like, in Canada major telecoms don’t get along.
We are dependant on our computers, we order online, pay our bills and so forth. The idea of password-less phone number accounts are revolting. It will cut people off from everything digitally.
It won’t be long until Steve Gibson’s SQRL app is released to the public. I’d rather use it because it’s more private. However, I can’t see the social media sites using it because they can’t track people across websites with it as far as I know.
https://www.grc.com/sqrl/sqrl.htm
I fear that Microsoft will lock out users who don’t have smartphones, iPhones and mobile phones. before setting up windows 10 account. People are so easily dupe to think that its a greatest thing since sliced bread. Don’t be surprised that they will lock out people of their Windows 10 account.
Implementing a feature for a smartphone/iPhone/feature phone to log in to your Windows 10 account is a bone headed move. No way in hell that I’m not going to use that feature, as the dude aka John who made eloquent comment. I agree with what he said,
“1. Sounds like Microsoft has this angle covered by using other things like facial recognition, thumbprints, etc. for access tp the PC after the first cell phone log-in instead of leaving cell phone as the continual and sole means of access to the PV after setting up the account, *but as a generality*, I would say that the biggest downside of using your phone as a main authentification method for a PC would be that you may be on your PC in part because your cell phone ran out of power, your cell phone is out for repair, you’re between cell phones, you’re out of range of a cell tower, you had your cell service cut off or cancelled, you switched phone numbers without telling Microsoft, or your cell phone is in the other room/in your car/lost or stolen/etc.. One wouldn’t want a “Lose access to your cell phone, lose access to your PC†scenario- Fortunately, Microsoft has that angle covered, but I’ll bet if this goes more mainstream as a replacement for a password, some companies will mess it up.”
I know people who still use landlines and VOIP, and will not get a mobile phone. Mobile phones are luxury items, i know several folks had stated that they refused to get one, they can be target for spammers, and sell the information on third party.
I have a mobile phone that is pay as you, I will not use it to log in passwordless to Windows, which is why I am sticking to windows 8.1 long as I can. I may switch to linux. I was rudely told not to use Windows since I don’t like that upcoming feature.
For my home PC I have always used a local account with no passwords. I would never use a Microsoft account because I already feel Microsoft collects enough from my email, telemetry in Win 10.
It reminds me of when Microsoft decided to lock people out of their email account unless they surrendered their phone number to log in. I wonder if they’ll dare to do such a thing with Windows too one day.
.. local windows – account. no phone number – to anyone. fingerprint .. wtf?! every unnecessary windows – functions disabled/uninstalled. every outgoing ms – connection blocked (how? written a dozen times). than on top: every microsoft, google, facebook & cloudflare domain = blocked (browser basis). per:
https://github.com/CHEF-KOCH/CKs-FilterList .
strict anti-corp blocking. wow, great, important, future-oriented filter – lists. finally. you should also read what he has to say.
.. now do you miss yt? me too. anyway.
https://ibb.co/4K8Z2MD
just klick on “temporarly” (or use directly invidio.us)
& if you still want to see videos on yt :
http://www.youtube.com * 3p-frame block
http://www.youtube.com * 3p-script block
http://www.youtube.com youtube.com * allow
* googlevideo.com * allow
those are the only ublock origin – exceptions/rules i’ve been running into under these circumstances. otherwise: no broken web (if you use alternatives) :
https://twitter.com/RealPrivacyIO
+ no casualties on “my – own – windows – light v.2.0”.
ps: on a test basis + ff DoH (wouldn’t that be an article worth; as with cloudflare?) :
https://adguard.com/en/blog/adguard-dns-announcement/
https://adguard.com/en/adguard-home.html
this again lets me disable every ublock origin – lists + ff disconnect.me . only 5 anti-corp lists are active.
current need: all domains of all big bad companies should be blocked on a network/dns level; at/through/whatever; user friendly. simple. freeware or not, self-hosted or not, whatever operating system you use ; yes, even windows = no win-updates anymore et cetera. only a clean, “running system”). if you use a online-service for this, the privacy policy must be accurate. adguard, e.g., has a lot of work to do. and there will be a lot of work. otherwise someone / something else will take their place.
pps: is your f.. android smartphone affected?
https://twitter.com/ay_meshkov/status/1075823515876642819
throw it away.
ppps: use “standard notes”. with all the security features and for everything. your personal data. your (really) strong passwords. your f.. 6-life *lol* (if you keep a diary) .. .
https://standardnotes.org/
& the new tutanota email – client:
https://tutanota.com/blog/posts/desktop-clients/
or simply online:
https://tutanota.com/
(even – in near future – quantum cryptography aware/oriented)
nobody has access to my personal informations, even if they have access to windows. strong passwords, generated by bitwarden:
https://bitwarden.com/
+ E2EE, 2FA.
and finally tresorit basic:
https://tresorit.com/pricing/basic
(ok, isn’t as bad as i thought it would be)
instead of onedrive.
yes, there will be contact to 2 azure – servers in ireland (not permanently) but encrypted on E2EE basis .. and in europe. compared to onedrive .. the lesser evil. and – all important personal data are _additionally_ encrypted with 7zip before they reach tresorit. with a _strong_ password .. again.
nice weekend.
1. Sounds like Microsoft has this angle covered by using other things like facial recognition, thumbprints, etc. for access tp the PC after the first cell phone log-in instead of leaving cell phone as the continual and sole means of access to the PV after setting up the account, *but as a generality*, I would say that the biggest downside of using your phone as a main authentification method for a PC would be that you may be on your PC in part because your cell phone ran out of power, your cell phone is out for repair, you’re between cell phones, you’re out of range of a cell tower, you had your cell service cut off or cancelled, you switched phone numbers without telling Microsoft, or your cell phone is in the other room/in your car/lost or stolen/etc.. One wouldn’t want a “Lose access to your cell phone, lose access to your PC” scenario- Fortunately, Microsoft has that angle covered, but I’ll bet if this goes more mainstream as a replacement for a password, some companies will mess it up.
2. Honestly, when one is talking about an Internet based Microsoft account, asking for a phone number doesn’t surprise me. A lot of the big email service providers and social networking sites ask for or even require a phone number from you upon signup as proof of identity or a method of account recovery should you forget your password or otherwise lose access.
Since you can optionally sign up for a local account for Win10 that lives entirely on your PC rather than the default Microsoft Account/PC Account combo, that seems like the way to go if you don’t want Microsoft to have the information signing up for their partially cloud based accounts requires.
Granted, if you don’t have the cloud-based account, you can’t have Microsoft pull your settings from the cloud if you login on a different PC or have to reinstall Windows, but that was how things always used to be anyway. Some folks even like starting fresh once in a while and reviewing what settings they want upon purchading a new machine.
The big issue will/would be when/if they stop allowing local accounts. So far, that hasn’t happened. It may eventually, but that’s speculative.
3. Does not having a Microsoft account keep you from downloading free software from the Microsoft Store and from using or updating any preloaded system tools using that program format? If so, that could be an issue.
Every day, Microsoft sounds more like Google. And that’s certainly not a compliment.
Microsoft stay away from my phone.
2fa via sms isn’t safe either.
What is my “take on password-less sign-ins” such as this method of using my phone?
It’s a not too subtle way to tie a phone number to a person’s name whereby the phone number can be sold to spammers, excuse me, to advertisers who will bludgeon the user’s phone to death with advertising calls.
As dumb as it sounds, I will continue to use passwords ( obviously not weak passwords) just to thwart this obvious attempt to make more money by selling my contact information to spammers.
And the few spammers that do “call” me I immediately block which requires that someone somewhere has to come up with a new better-than-ever spoofed “phone number” to try, try, try again.
Sometimes the old ways are still the best.
Is anyone really stupid enough to fall for this?
When I think about it I know the answer. Yes, many people are this stupid :(
“A password made of all numbers is not a password, it’s a PIN. Why? Because we said so!”
“Just give us your phone number! Why? Reasons!”
“What is your take on password-less sign-ins?”
Not just no, but hell no. I’m not going to give Microsoft even more information about me than they are already stealing.