Microsoft tries to knife passwords once and for all - at least for consumers Microsoft has decided to push its consumer customers to dump passwords in favor of passkeys. The software giant announced the move Thursday, May 1, traditionally known as "World Password Day," with a declaration it had joined forces with the Fast Identity Online (FIDO) Alliance to re-name the pseudo-holiday "World Passkey Day …
Presumably with glee, on something for 6 years, in plain sight, and no one noticed.
Makes me wonder what it’s going to look like after the next version of Windows ends security patching.
If I recall this isn’t the first time (https://www.securityweek.com/critical-flaw-magento-ecommerce-platform-exposes-online-shops/amp/) a problem was caused by caused by poor upstream controls. IIRC the lead dev handled his publicity poorly too.
Perhaps I'm just a curmudgeon, but I think you would have to be literally daft to turn over your biometric identifiers to log into consumer software, or any software for that matter. Maybe for intelligence agencies (before brother Pete), but not for windows, word or the Microsoft account.
Given the entire industries track record of keeping customer data safe, trusting them with your immutable identifying factors is a bridge too far. In case of a breach, you can change your password or ssh cert, but if your bio ID is leaked, stolen, whatever, you are a bit out of luck. No thank you.
The idea is that the biometric or PIN never leaves your device. It's only used to unlock the local keystore that has automatically generated keys. The user never sees or interacts with the keys.
The real problem is - if all the keys are on your phone, WTF do you do when someone steals it?
You no longer have any of your keys. Hopefully the thief cannot get the keys out.
But all the keys are gone.
It's going to take a few days to weeks before my insurance replaces the phone, so do I lose access to anything for that whole time?
How do I regain access?
How do I revoke all the keys in that stolen device?
What prevents a miscreant from doing that takeover?
Ah yes, and when Microsoft breaks Windows 11 passkeys again (it's done that several times to my work laptop), what do I do?
Everyone needs to STOP believing that everyone else has their lives centered around their smartphones. I still want to log into my accounts from, GASP!, my desktop. That does *not* mean that I want to [also] access my phone to grant you my passkey.
No. Stuff off.
I am so sick of this bullshit that I can't stand it any more. Gyms telling you "You need to use our app to sign in when you arrive!" to "Sign in with your one-time PIN, which we sent to your phone!".
My. Phone. Is. NOT. an. extension. of. my. arm!
I leave it in the car when I go into the gym - I there to work out, not read the internet. When I go grocery shopping I leave my phone behind, usually no need for it. Etc etc etc.
Stop it. Stop believing that everyone is a slave to the same device you are tracking and inundating with your targeted ads. Just, stop it.
I don't lug around a phone everywhere myself, but a lot of people do - possibly to pay for their groceries, even. If you are going to try to make a one-size-fits-all solution, centring it on a phone makes sense. If you're going to insist on being an odd size then you're going to put some extra effort in.
Not wanting to be part of the herd ... BECAUSE ... the security of the latest and greatest idea is NOT proven ... does NOT make you an 'odd size' !!!
I do not live my life ON the PHONE !!!
I use a phone to make calls and to send texts ... the rest is a nice to have which I CHOOSE not to use ALL the time !!!
Making an APP for everything is driving me MAD !!!
I cannot keep track of all the APP's I am FORCED to install.
I bought a rather nice car and I have installed a Tracker & Immobiliser ... I have an APP for the Tracker, an APP for the Immobiliser, an APP to access the various 'Toys' on the car, an APP to generate reports from the 1001 data sources in the car and, of course an APP to access the DashCam ... so on and so on ......
This is beyond lunacy, every company assumes that you need a 'special' APP just to use their product and in 'Their' world there is no other APP's to content with !!!
I want to control the security on my phone & PC BUT these APP's do whatever they want which you CANNOT control.
If I use firewalls etc on the router the APP's usually complain that they cannot work and I have to weaken the security to allow them to work !!!
This leads to installing Google Android, on your phone, and answering 'YES' to all questions to allow the 'weakest' level of security and allow google to have access to ALL your data ... THEN ... install all the APP's and answer 'YES' to all their questions to allow the APP's to work and 'THEY' have access to all your data etc etc
I do not trust someone else to secure my information by default yet I must give away my control to install APPS to function in the world !!!!
:)
I'm not sure that I see the problem here.
If you want the facilities, install the App. If you can live without those facilities, don't install the App. No problem, certainly no call to get stressed and angry about it - how's your blood pressure?
For the record, though, both Android and iOS give perfectly good, easy to use, ways to control what these Apps can do and access. The permissions systems are very fine-grained and easy to restrict if that's your thing.
GJC
To enable their data-raiding projects, many manufacturers are requiring the use of their apps to access even the basic features of their hardware, not just the "extras".
Since seemingly-every manufacturer is running down that dark road, the ability for consumers ro have meaningful choices is dwindling fast.
Anyone who has recently bought a big-screen TV has experienced this. It's hard to watch broadcast TV when the screen is filled with non-bypassable banners reading, "NO INTERNET. PLEASE SET UP DEVICE." and, "CREATE AN ACCOUNT WITH US FOR ACCESS TO ENHANCED SERVICES." Even if you do not want any enhanced services.
@GJC:
I have come across many, many apps -- some included with new phones -- which simply refuse or fail to work if they are not granted all the permissions they demand.
I'm thinking in particular of the sound-recording app which came with my new Motorola phone. This app refused to work if I didn't grant it access to my contacts list and video camera. (I did not grant those permissions [more-specifically, I revoked those permissions, as the phone came with those permissions automatically granted to that app], but the app itself was not un-installable.)
"The permissions systems are very fine-grained and easy to restrict if that's your thing."
THAT is the very thing that 'Breaks' the APP's and stops them from working !!!
I have done this and you find that if you diverge from the 'Out of the Box' permissions etc the APP will not work 100% as designed !!!
This is what I mean by 'Reducing the security to the lowest level'.
This is by design as the 'Data collection' that is happening in the background ONLY works if the permissions are NOT changed !!!
Invariably the APP is actually using a 'Web Browser' internally that it controls, I limit what Firefox/Chrome/etc can do by using addons BUT the internal 'Web Browser' is totally NOT under my control !!!
This is the basis of my complaint, APP's are a deliberate method to avoid the security you MAY use in Browsers like Firefox/Chrome/etc.
The need for 'your data' trumps the need 'you' have to protect your PC/Phone/Tablet via the Browser & addons of your choice !!!
:)
Yep. Ebay just did this to their latest update, it demands Google Play access, both your account and the app active, otherwise it refuses to allow to any use at all!
No. No no 1000x no. You don't deserve my Google access (a) just because you asked, and (b) because I don't keep my Google account on my phone at all unless and until I need it (new app install or update). Otherwise I remove my Google account from the phone completely. I will *not* keep my Google account active on my phone for your app!
Uninstall, goodbye. You piece of shiate.
Sorry, do you use Android? If you did, you would know that all of the important data gets hoovered up by tracking libraries without any of the decorative permissions. Install DuckDuckGo's App Tracking blocker, and marvel at the attempted data theft!
Passkeys are linked to your PC and/or phone. If stolen/broken (as well for PC if you have to clean reinstall the OS) - hopefully not both at the same time - then all passkeys have to be regenerated on your 'new' hardware. If not stored on the cloud by MS, Google or Apple you will need your username/password or PIN which you may no longer remember due to lack of use. May also need 2FA but not much use if the other device is your phone (if SMS/email) or PC (if email only) in question. If 2FA is email you will need to at least have access to you gmail. A Password Manager with the files saved to cloud and accessible from anywhere is essential. Overall, as a minimum you will need your MS, Google or Apple Account running again to start all over again so you can access cloud and Gmail. A question that might arise if your username/password have been compromised can anyone with device just regenerate the Passkeys? Another question is what happens when there is a fraudulent SIM swap - are you well truely stuffed then?
There's an interesting critique of passkeys at https://tinyapps.org/blog/passkeys-touted.html Convinced me that Passkeys are not an especially good idea for most of us most of the time.
My take for what it's worth. The tech industry badly needs a robust authentication tool that users can tolerate. Passkeys are the best idea they've got along that line. "They" probably know perfectly well that Passkeys are less than ideal. They're just hoping that Passkeys are good enough to keep the carnival going.
"The tech industry badly needs a robust authentication tool that users can tolerate."
No, they don't. They don't "need" it, they want it -there's a difference. It is, always, the user's responsibility to use secure authentication like unique passwords et al. The problem is that the tech industry wants to try to make the authentication system "idiot proof" - dumb it down and make it non-permeable enough that the responsibility is taken from the worst users...which doesn't solve the problem.
You're just moving responsibility from one moron - an uneducated user - to another moron, the tech/programmer/MBA at the office that creates things that fit one, but not all, and with bugs to boot.
I am MORE than happy to keep the responsibility for the security of my log-ins MYSELF. I *do not want* a company to think it can do better by creating a system...that now creates one failure point (say, combined site login with 2FA that goes to my hackable or loseable phone) rather than the individual, high-security passwords I have a habit of using (I have "low security" pass phrases, "high security" pass phrases that are usually 10-16 alphanumeric characters long...even my WiFi home password is the full 128 characters). I'm an adult, stop taking my choices away.
Even on Windows 11 it is fairly easy to create a local account by using the NET USER command - once you have created a local admin account you can then use that account to delete the one that Microsoft knows (Use a throwaway new hotmail account when setting up Windows 11 - it will never be used again.)
Run cmd as an administrator
to create a new user
NET USER username password /ADD /EXPIRES:NEVER
to make the user an administrator
NET LOCALGROUP Administrators username /ADD
to disable a user
NET USER user_to_disable /ACTIVE:NO
to delete a user
NET USER user_to_delete /DELETE
Of course the better answer is to use Linux instead of Windows if practical
On Pro and above, it's simple to create a local account on setup - just not obvious (deliberately, for sure). Select the option to join the compuer to a domain - that actually is where the local account is created (and it doesn't join it to a domain - you have to do that separately once setup has finished).
The Home version needs a bit more pissing around but it can still be done on the latest release, I think. Make sure it doesn't have any network access, start the installer - Shift-F10 at the first setup screeen, oobe/bypassnro, it then reboots. Then select the 'I don't have internet' option and confirm that yes, you are really, really sure, then it allows creation of a local account.
If the first account created is a local one, it doesn't bitlocker the drive. On Pro and above you can do this manually if you wish and save the recovery key wherenever you want.
And if you forget to write down the password for your MS account, the Bitlocker recovery key will be of no value.
Had this problem when a laptop decided to upgrade from fully working W10 which used a passkey/pin to login to the MS account. The W11 install on reboot wanted the Bitlocker key before it could boot into Windows… obviously, need to login to MS account from another PC but as it wasn’t “trusted” MS wanted the account password, which had not been provided to me…
Do you use biometrio on your phone? And do you believe Apple or Google or Samsung or some random Chinese company won't take advantage of your biometric data?
Sure, they won't "sell" them, they will just use them to make as much money as they can exploting them - selling them is stupid unless you're just a small company, the largest one don't sell the golden eggs, it means losing some edge over competitors.
BTW, passkeys are exactly a way to trak you better using your biometric data. Once you need them to access passkeys, they get into the loop and know what you log into, when, where....
Everyone who think the problem is only Microsoft, is a poor naive "useful idiot" (useful for Apple and Google, of course)
Imagine what e-mail would look like if Microsoft, Google, and Apple and a hand in their development. There'd be three islands which wouldn't talk to each other and you'd be forced to stick with Microsoft, Google, and Apple or start over again with another Big Tech corporation.
Well that's passkeys currently. No thanks.
Also, passkeys are designed so most people have to have their personal survellance device (the "smart"phone) always besides them and acitve, and all logins will go through their APIs.... They are another tracking technique - that's why they push it so hard. And the problem is well beyond Microsoft - which is just part of a larger problem.
Of course they are! They are locked to your device, the unhackable totally secure TPM module. Combined with the IMEI or serialnumber and so on as unique identifier you get a bastion of security you cannot pass! Especially you!
</irony, 'cause even the worst jokes get taken serious or get real>
The use of Passkeys took me be surprise but thankfully I use Bitwarden to manage all of my passwords so when prompted by a website to store a passkey, Bitwarden captured it for me.
I use it on several Windows machines with Firefox and Android with Firefox.
I have properly secured my access to Bitwarden with physical keys and second factors, so I'm happy to delegate most password storage to it.
So if this a problem your trying to solve there are solutions out there. Bitwarden is 40USD per year for a family account (5 users) which is well worth it IMHO. It mostly works for prompted passwords, but it's not perfect and sometimes auto fill fails and you must copy/ paste in the information you want.
However, I find that even this small step to take is too much for the family and so I occasionally nudge them into using it. We'll see if it catches on....
'Twas not I but repeat after me:
It's somebody else's computer that you do not control.
It's somebody else's computer that you do not control.
It's somebody else's computer that you do not control.
It's somebody else's computer that you do not control.
It's somebody else's computer that you do not control.
It's somebody else's computer that you do not control.
A password manager is fine. But keep it where you can lay your hands on it.
Passwords are so last century. Never mind nothing actually better has come along, but changeable passwords have worked for over 65 years.
But somehow just because something is 'old' doesn't mean needs to stop being used. That is sometimes faulty thinking. Occasionally the old stuff is better than the newer stuff. Passwords refuse to die for a reason. Stop trying kill what works well enough for most things, for a long time, with something new, say with AI, because AI is the shiny new, or whatever. Change for change sake is seldom better.
simple: passkeys are not "pass phrases", and "takes 2 seconds or less" is alo valid for using passkeys.
.
passkeys are actually public / private certificate pairs (ECDSA usually) that are unique for each particular service because when they are created they are also seeded with service ID data that is unique for each of them (usually based on domain name - but not always).
This way a passkey that was made for one service (e.g. Microsoft account) will never even be recognized (or prompted) by another service (e.g. Google account) because the service seed ID data is different.
The private certificate key of the passkey is never leaving the secure location (either a FIDO2 device. Windows Hello, Bitwarden store or other equivalent) and when authenticating that service is actually sending a request for a digital signature that the secure location is using when signing a response challenge with the same digital certificate key that was used when creating the passkey. The service then uses the public certificate that was enrolled when the passkey was created to verify that the challenge was signed by the correct certificate key.
This is also why you can never "save" or copy a secure USB FIDO2 hardware token / security key and why it is needed to have at least two such USB token devices - in case one of them breaks or is lost you have a backup already defined. Software-based passkeys though (e.g. Bitwarden)...that's another kettle of fish.
Very simple. My password is not on my computer, just its hash. My password manager is on my computer, it's encrypted, needs a password (strictly speaking a passphrase) to open and is synched to a NextCloud server on my own hardware. That's two passwords which I keep in my head. I will not use those elsewhere. There are no other dependencies, especially no third parties. I am not beholden to Microsoft or Apple for access to my PC.
I wish!
I've been a Linux user since way back to the original Red Hat. The local government has medical information online now, and I wanted to be able to access it. After going back and forth with their tech support, it was determined that their site does not support browsing from Linux. I could probably find out how (if its still possible) to make my browser fake the identification string. Instead, I bought a fairly cheap laptop with Windows 11 (I can't count how many times I yelled at it for popping up stuff that wanted me to spend more money! Or just didn't seem to want to work reasonably (by my standards)). Also I hate the chicklet keyboard. The only good thing about it is that after I put WSL2 on it, I have another test bed for my compiler. :-)
Faking the string is easy enough, but the broken websites is more than just a problem with Linux, but rather one of two major parts:
1) Browser makers are not supporting standards in a consistent manner.
2) Lazy web developers who assume everyone is running either iOS and Safari or something Chromium-based on whatever platform, and think that instead of actually working something out, just barring anyone without the right UA string "works".
So in the end, Even on a Mac, I need to keep all three major browsers around just for dealing with work-related, banking, and medical provider sites. Sites A and B only work, under Vivaldi (Chromium), B and C work best with Safari, and for some odd reason D is only working properly with Firefox. And while the moves to force Apple to allow different rendering engines on iOS and iPadOS are overall for the best, that same problem is going to arise soon enough on those platforms.
> one of two major parts
3) Web designers[1] and developers who are more concerned with being flashy and "cutting edge" than useful.
Just what feature/API does a website *need* from a browser that isn't already supported by all of them now?
[1] yes, I do know that many of the issues come from pulling in third-party libraries and the ever-chaotic churn of web frameworks, which is the web developers' domain, but I lay the use and acceptance of that mess on the designers who still use those packages and are insufficiently critical of that software.
LOL, like their RDP problem?
https://arstechnica.com/security/2025/04/windows-rdp-lets-you-log-in-using-revoked-passwords-microsoft-is-ok-with-that/
The Remote Desktop Protocol—the proprietary mechanism built into Windows for allowing a remote user to log in to and control a machine as if they were directly in front of it—however, will in many cases continue trusting a password even after a user has changed it. Microsoft says the behavior is a design decision to ensure users never get locked out.
Potentially the phone and a crap scanmer, but I find that a weekend of doing things outside and my fingerprints invariably do not work
My phone has the scanner on the side and is not too easy when I am working, so 90% of the time I unlock with the pin/pattern
Not even sure if my laptop can do fingerprint
I was coming on here to say the same.
After a weekend of caving, I have no fingerprints, but I might well have a few micro-scars that mean that even by (usually) Wednesday when I have regained enough fingerprint for a reading to happen, there will be no match. OK, I am an extreme example, but it took only two weeks for a previous employer to remove the need for fingerprints on door entries after all the problems it caused for many of the employees!
Some companies implement Windows Hello, and then it gets listed as FIRST choice, which you have to click away to get to the normal login.
1. Strong method, disable Hello:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Settings\AllowSignInOptions]
"value"=dword:00000000
2. Not so strong method, set the "default provider" to "password". Check the SessionData subkeys!
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI]
"LastLoggedOnProvider"="{60B78E88-EAD8-445C-9CFD-0B87F74EA6CD}"
3. The "normal" GPEDIT.MSC way:
Computer Configuration -> Administrative Templates -> System -> Logon
(German:) Standard-Anmeldeinformationsanbieter zuweisen
(English:) Assign a default credential provider
For Method 2 and 3, check "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers" for your list.
Well known are:
Password: {60B78E88-EAD8-445C-9CFD-0B87F74EA6CD}
PIN: {D6886603-9D2F-4EB2-B667-1971041FA96B}
Picture Logon: {2135F72A-90B5-4ED3-A7F1-8BB705AC276A}
Fingerprint Logon: {BEC09223-B018-416D-A0AC-523971B639F5}
I don't know that passkeys are that much more memorable. users have a default account for the business with a password they usually remember, but then they get a new windows machine and are asked to create a pin, when they actually need the pin they've often forgotten it. they remember the password as they took an effort to remember it but the pin was quickly chosen and as quickly forgotten. fortuanately there are many occasions when the password is required and the pin is not. maybe having everyone's data isn't enough for MS, now they want everyone's accounts. usernames/pins/passwords.
I'd be more than glad to "get rid of passwords", but not like this. I don't allow passwords for logins for ssh into my devices and use keys, so the idea of that is sound, and it was easy enough to import my ssh keys into even my iDevices. But proprietary solutions and even more tracking nonsense (and especially biometrics)?
Count me out.
But then again, even in an "ideal" world where keys got standardised on GPG or similar, you're still reliant on some combination of the user knowing how to copy their private keys over to various devices, enough interoperability on part of the OS makers to do so securely, or a 3rd party providing that function.[1] In any case, I suppose you'd still better off than dealing with people who have a password of "password123", so a boon for security, but still far from ideal.
[1] In other words, 1 option depending on users being clueful, and two depending on trusting third parties for their security, none of which could be described as "less bad".
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
