Windows 10: Now it's tap or look to sign in to Outlook, Office 365, OneDrive, Skype

Microsoft takes another big step in its mission for password-less sign-in for Windows 10.
Written by Liam Tung, Contributing Writer

With the Windows 10 October 2018 release now back under way Microsoft has announced that users can sign in to its main websites from Edge without a password.

Edge on Windows 10 1809 comes with support for WebAuthn, the W3C standard for password-free sign-in to websites that's also being supported by Google Chrome and Mozilla Firefox.

WebAuthn enables sign-in to websites from Edge using biometrics, such as a face or fingerprint scan with Windows Hello, as well as FIDO2-compliant security keys like Yubico's YubiKey and the Feitian BioPass key.

For Windows users, it means they'll be able to sign in to a range of Microsoft apps and websites from Edge either by using Windows Hello or FIDO2-compliant security keys.

The advantage over passwords is that it's harder to fall victim to phishing attacks, and users don't need to worry about entering a username and password.

Users will be able to use the new method to sign in to accounts on Outlook.com, Office 365, Skype, OneDrive, Cortana, Microsoft Edge, Xbox Live on the PC, Mixer, Microsoft Store, Bing, and MSN.

"Microsoft is the first company to support password-less authentication using the FIDO2 WebAuthn and CTAP2 specifications, and Microsoft Edge supports the widest array of authenticators compared to other major browsers," said Alex Simons, vice president of program management at Microsoft Identity Division.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

To sign in to a Microsoft Account with a compatible security key, users need to go to the Microsoft account page on Edge and sign in as usual.

After that, users can select Security and then go to 'More security options'. Under Windows Hello and security keys, there will be instructions for setting up the security key.

The FIDO2 industry standard uses public-private key encryption, where a private key is stored on the local device and requires a face, fingerprint or PIN code to unlock it.

A public key is sent to Microsoft's account servers in the cloud and the key is registered with the user account.

Microsoft is planning to extend the same sign-in capabilities from a browser for work and school accounts using Azure Active Directory, the service that suffered a global issue yesterday, locking people out of Office 365 and Azure for several hours.

Microsoft shows how Windows Hello can let users authenticate themselves without a password on any Windows 10 device using biometrics. Source: Microsoft

Previous and related coverage

Windows 10 moves closer to killing off passwords with Edge WebAuthn logins

Windows Hello biometric login could soon be the key to all your favorite websites.

We're killing off passwords. But are we ready for what will replace them?

Getting rid of passwords is a good idea, but we need to think through the consequences of the most likely replacement, too.

Chrome, Edge, Firefox user? Coming your way: New spec that cuts out passwords

Browser makers take an important step in reducing the need for passwords and all the security threats they bring.

Google pledges to foil phishing attacks with new Titan Security Key

If you trust Google, this is the second-factor security key for you.

Firefox 60 lands: It's world's first browser to give you password-free logins, says Mozilla

Firefox becomes first browser to support the Web Authentication API, taking the world closer to no-password logins.

Windows 10: We're going to kill off passwords and here's how, says Microsoft

Microsoft wants to banish 'inconvenient, insecure, and expensive' passwords. So what's going to replace them?

Microsoft: This Azure password-banning tool will help kill off bad 'P@$$w0rd' habits TechRepublic

Admins can now significantly reduce the risk of accounts being compromised by password-spraying attacks.

How to disable the Windows 10 lock screen CNET

Go directly to the login screen. Do not pass the lock screen. Do not view any pretty pictures.

Editorial standards