Overview
- Starting August 1, Microsoft Authenticator will remove all stored passwords and disable its in-app autofill feature.
- Users are required to configure FIDO-compliant passkeys secured by biometrics or PINs within Authenticator to continue logging into supported services.
- Passwords deleted from the app will remain synced to users’ Microsoft accounts and can be accessed via the Edge browser or exported to other password managers.
- Microsoft cited a surge to 7,000 password attack attempts per second in 2024 as the key security rationale for transitioning to phishing-resistant passkeys.
- Because many websites and legacy systems still rely on traditional passwords, users and organizations will navigate a hybrid environment of passwords and passkeys for the foreseeable future.