It's not yet time to laugh off data breaches, but authentication technology is advancing beyond the password-era problems.
Yubikey's Yubico Security Key can handle U2F and FIDO2 authentication.
Stephen Shankland/CNET
You and 800 million other people now can use hardware authentication keys — and no password at all — to log on to Microsoft accounts used for Outlook, Office 365, OneDrive, Skype and Xbox Live.
Microsoft is using a technology called FIDO2, which employs hardware keys for the no-password logon, the company said Tuesday. New versions of Microsoft's Windows 10 operating system and Edge web browser support the technology.
The hardware authentication keys plug into laptop USB ports or, for phones, use Bluetooth or NFC wireless communications to help prove who you are. Initially, they worked in combination with a password for dual-factor authentication, but FIDO2 and a related browser technology called WebAuthn expands beyond that to let the company ditch the password altogether.
Microsoft's no-password logon offers three options: the hardware key combined with Windows Hello face recognition technology or fingerprint ID; the hardware key combined with a PIN code; or a phone running the Microsoft Authenticator app. It works with Outlook.com, Office 365, Skype, OneDrive, Cortana, Microsoft Edge, Xbox Live on the PC, Mixer, the Microsoft Store, Bing and the MSN portal site.
The prospect of moving to hardware keys after decades of using just passwords may daunt you, but it's probably smart to get used to the idea now.
Passwords have been purloined from countless companies through data breaches, and the ones that are hardest to crack also happen to be the ones that are hardest to remember. Fingerprint and face authentication on phones is one important step away from old-school password-only protection, but hardware keys look likely to be another.
You might want to hold off a little before trying a dramatic change to your Microsoft account authentication, though: Since Monday, Microsoft has struggled with a multifactor authentication problem afflicting Office 365 logon.
Getting ahead by killing off passwords
Microsoft clearly believes its move beyond passwords gives it an edge over competitors. "We are declaring an end to the era of passwords," Rob Lefferts, Microsoft's corporate vice president for security, said in a September blog post. "No company lets enterprises eliminate more passwords than Microsoft."
And Alex Simons, a vice president in Microsoft's Identity Division, added another boast in a blog post Tuesday: "Microsoft Edge supports the widest array of authenticators compared to other major browsers."
Even with password managers trying to manage the chaos of dozens or hundreds of accounts, passwords are a struggle for mere mortals. Dual-factor authentication methods can increase security, typically using an authenticator apps that generate a short-lived numeric code or sending us similar codes by text message or email.
Hardware keys are coming
Hardware security keys are a variation of dual-factor or multifactor authentication, a technology that means just having an account's username and password isn't enough to log on. Hardware keys go a step farther than SMS codes and authenticator apps, too. In principle, SMS codes can be intercepted.
The hardware authentication keys got their start with technology called universal second factor (U2F) at the FIDO (Fast Identification Online) Alliance, notably through the efforts of Google and U2F hardware maker Yubico.
Google supports U2F hardware for login and indeed now sells its own key, Titan, which it credits for neutralizing phishing attacks.
Hardware-augmented logon is spreading steadily. In addition to Google and Microsoft, companies that support it in various capacities include Dropbox, Twitter, Facebook, Github, LastPass, 1Password and Dashlane.