Microsoft Now Lets You Log Into Outlook, Skype, Xbox Live With No Password

You and 800 million other people now can use hardware authentication keys -- and no password at all -- to log on to Microsoft accounts used for Outlook, Office 365, OneDrive, Skype and Xbox Live. From a report: Microsoft is using a technology called FIDO2, which employs hardware keys for the no-password logon, the company said Tuesday. New versions of Microsoft's Windows 10 operating system and Edge web browser support the technology. The hardware authentication keys plug into laptop USB ports or, for phones, use Bluetooth or NFC wireless communications to help prove who you are. Initially, they worked in combination with a password for dual-factor authentication, but FIDO2 and a related browser technology called WebAuthn expands beyond that to let the company ditch the password altogether.

Microsoft's no-password logon offers three options: the hardware key combined with Windows Hello face recognition technology or fingerprint ID; the hardware key combined with a PIN code; or a phone running the Microsoft Authenticator app. It works with Outlook.com, Office 365, Skype, OneDrive, Cortana, Microsoft Edge, Xbox Live on the PC, Mixer, the Microsoft Store, Bing and the MSN portal site.

Re:No password, but...

I think you're misunderstanding.... The most common hack isn't a technological one but rather social based. For example:

1) The person uses a weak password, either something like 'password' or their birthday.

2) The person is tricked into entering their credentials into a spoofed or compromised application which relays the password.

3) People tend to reuse login credentials, so if a password on a weakly secure site is compromised, then the password on a properly secured website is also compromised.

FIDO2 and hardware keys get around the issue by not using passwords but instead by using public key infrastructure. In a PKI setup, there are two halves to the security, the public key and the private key. The public key you give out freely and it can live in the website's database you want to login to as plain text. It doesn't matter if it gets compromised, anyone can see it and it doesn't matter.

The beauty of it is something called asymmetrical encryption; you can encrypt a message with the public key but only the private key can decrypt it. So to authenticate a user:

1) The client says, "I'm user 'john'" to the server

2) The server looks up john public key, and encrypts a nonsense random message with the john's public key, and transmits that back to the client.

3) The client gets the encrypted message, but it can only decrypt it with the private hardware key. The client then sends back the decrypted message to the server.

4) The server looks at the response and if it's the message that it sent as encrypted, it can be reasonably certain that the client talking to it has the private key.

This setup is a lot more secure because no passwords are stored on the server's database, meaning that a breach in the server side leaks considerably less. It also eliminates weak passwords as a potential breaching point.

This doesn't negate the possibility of a Man in the Middle attack (you need mutual authentication, the server to the client and the client to the server, which gets really complicated for key distribution), but it does eliminate the major sources of lost credentials. Like I said though, it introduces problems of it's own though.