Microsoft is taking the radical step of giving people the option to remove passwords from their accounts for the company's services like Outlook and OneDrive.
The feature has already been available for users on commercial accounts at large organisations under a pilot running since March.
Now Microsoft is giving everydayusers the option to go password-less, too (see how below).
Instead, you can reply on biometric logons - fingerprint scans or facial recognition - or access-approval messages sent to a smartphone.
As we face an unprecedented number of cyber threats, is this a PR gimmick, or a Great Leap Forward in security?
Experts consulted by the Herald gave Microsoft's move the thumb's up.
"Passwords have been part of the zeitgeist for so long it feels hard to let them go or trust something else," said Theta head of cybersecurity Jeremy Jones.
"Passwords are supposed to be easy for humans to use but hard for computers to guess," he adds.
"But that message has been lost over the years, often with crippling password policies that just annoy users who just do very understandable human things to make their lives easier: like use password patterns, re-use them across multiple services which ends up having the opposite effect of making users more vulnerable."
Image / Getty Creative
AUT software engineering senior lecturer Ken Johnson agrees that while good-on-paper, password-based security is often broken in practice as people struggle to remember multiple passwords, and grapple with frequent requests to change them.
"What we tend to do is reuse them, use easy-to-remember passwords and trivial, guessable passwords like "ABC123" So, in practice, they don't make a very good means of security."
Many organisations encourage staff to use a password manager, enforce rules about password complexity and/or use two-factor authentication (usually a code sent to a cellphone) if a new device tries to connect to one of your accounts - or just periodically as a security double-check.
But often such systems can cause user-rage, or lead to people using their personal email or social media accounts for office communication.
"The authentication process should not be an obstacle to accessing technology and information," Jones says.
Image / 123rf
"Microsoft makes this quite easy with its facial recognition technology - called Windows Hello - and their Authenticator mobile app as reliable substitutes for passwords.
"There might be a password lurking in the background somewhere as a backup, but offering people easier authentication options that are all equally secure is likely to generate a better outcome overall."
Getting a log-on approval message sent to a phone "is a lot more powerful than a password," Johnson says. Sure, you can leave your phone lying around, but the AUT academic notes that smartphones require facial or fingerprint recognition, or at least a PIN, to be unlocked themselves.
How to go password-less
You'll need to have the Microsoft Authenticator mobile app installed and linked to your personal Microsoft Account. You can find Microsoft Authenticator on Apple's App Store or Google Play.
Once that's complete, you can visit account.microsoft.com and choose advanced security options and then enable passwordless accounts in the additional security section.
You then approve the change from your Authenticator app and you'll be password free. You can always reverse the change and add a password back to your Microsoft account in the future.
Remember that the new option is for personal Microsoft accounts. For going password-less on your work account you'll need to talk to your organisation's IT team.
Microsoft has posted more on its move, including a step-by-step guide to going passwordless, in a blog post by security, compliance and identity VP Vasu Jakkal here.
Google, Apple and others are also working toward less reliance on passwords.
Google Chrome lets you sign in without a password, and Apple's iOS 15 and macOS Monterey updates include a Passkeys in iCloud Keychain feature in a bid to replace passwords with a more secure login process.
