Forget Your Password at Microsoft Sites. Use a USB Key Instead

November 21, 2018, 12:20 AM UTC

If you’re sick of creating, remembering, and entering passwords, you’re not alone: Microsoft is now on your side.

The company said on Tuesday that it now supports a form of Windows login using a USB key that contains unique encrypted information and which bypasses the need for a password—or even an account name. This form of login uses cryptography to prevent any effective account hacking.

An intruder trying to invade your digital life would have to intrude physically as well to obtain a hardware key. Some key models also require a fingerprint scan to activate, adding another challenge.

These keys are not cheap—they cost $20 to $60—but that may be worth it to anyone who has experienced an account breach or worries about financial information—or company secrets—being stolen or misused. A single key may be used with multiple sites and even locally installed software.

Users register a key with a site or service, like Microsoft’s central login for services like Office, OneDrive, Outlook, Skype, and Xbox Live. After that initial registration, logging in requires tapping a button on the USB key or using fingerprint recognition.

Currently, Yubikey and Feitian sell several options for key features and USB types. Microsoft’s password-free login requires Windows 10 (and the October 2018 update) and works with its Edge browser on a desktop computer with an available USB port.

The no-password login overcomes weaknesses in accounts and passwords by relying on private, unique, complex information stored within the USB keys. During login, the site and key communicate via the browser, although an operating system could also perform that role. Both site and key identify themselves securely to each other, allowing a user to know the site isn’t fraudulent at the same time the site validates that the user is legitimate.

Google supports a version of this standard that uses USB keys that pair with passwords, for so-called “two-factor authentication,” in which the password and a code generated and sent by the USB key form two separate kinds of validation. These older keys can’t be updated to the newer passwordless standard, but can continue to work as a second factor with a password.

This USB key login relies on an industry standard called FIDO2 from the Fast Identity Online (FIDO) Alliance, which includes members like Microsoft, Amazon, JP Morgan Chase, Intel, Goldman Sachs, and Google.