Tom Kelley/Getty Images

These days, I'm very popular in Russia, Ukraine, Moldova, Bosnia-Herzegovina, and even Albania. At least, that's what it looks like based on this list of recent attempts to sign in to my Microsoft account:

What these attackers don't know is that every password is incorrect for this passwordless account.  

Screenshot by Ed Bott

If you're curious about who's trying to sign in to your Microsoft account, go to this management page: https://account.microsoft.com. After signing in, click Security and "View my sign-in activity."

In my case, those desperate hackers are wasting their time. They can try every combination of letters, numbers, and symbols in every alphabet known to humanity, even if it takes until the end of the universe, and they will never guess the password for my Microsoft account.

Also:10 passkey survival tips: Prepare for your passwordless future now

Why am I so confident? Because, long ago, I chose the option to make that account passwordless. If some stranger wants to sign in to my account on a new device, they'll have to convince me to approve that sign-in using a device I've already set up. (Sorry, Ivan, I say nyet to unsolicited requests from Russia.)

Should you go passwordless?

Microsoft wants you to do just like I did and ditch your password. This month, the company rolled out a new user experience that is "optimized for a passwordless and passkey-first experience."

Also: The best VPN services (and how to choose the right one for you)

So, should you do it? For most people, the answer is yes. Removing your password dramatically increases the security of your Microsoft account and makes it far more resistant to phishing attacks. Once you've removed your password, the only way to sign in to a device is by proving your identity using biometrics (fingerprint or face recognition), hardware security keys, syncable passkeys saved in a password manager, or by responding to a push notification on a trusted device, as shown here.

The default method for signing in to a passwordless Microsoft account is with an Authenticator app on a device you own.

Screenshot by Ed Bott

The only technical reason not to make this change is if you use old apps or hardware devices that don't support modern authentication methods: Office 2010 or earlier; Office for Mac 2011 or earlier; Xbox 360; or a PC running Windows 8.1 or earlier. You'll also run into problems if you use the Remote Desktop feature to connect to another PC using your Microsoft account.

Going passwordless is not a step you take casually. Along with that extra security comes an increased risk that you'll lock yourself out of your account. You can mitigate that risk by making sure you have multiple secure ways to access your account before you remove your password.

Ready to get started? Let's go.

Step 1: Check your current security settings

Go to your Microsoft account management page at https://account.microsoft.com and sign in using your password. Click the Security tab and then click "Manage how I sign in." That should open a page like the one shown here:

Add at least two ways to prove who you are. An Authenticator app and an email address are your best choices. 

Screenshot by Ed Bott

This is an account I created for test purposes. It has a password, and I've added an email address to be used for verification purposes. Note the two options under the "Additional security" heading -- Passwordless account and Two-step verification -- are both off.

Click "Add a new way to sign in or verify." That opens the page shown here:

Use the second option to set up the Microsoft Authenticator app as a way to sign in.

Screenshot by Ed Bott

Step 2: Set up an uuthenticator app on your mobile device

Click the middle option, "Use an app." This gives you two choices. The Microsoft Authenticator app relies on push notifications; you can also set up a classic Time-based One-Time Password (TOTP) authenticator and generate six-digit codes you supply on request.

To use the Microsoft Authenticator, download and install the Microsoft Authenticator app on your mobile device and then click Next to display a QR code like the one shown here:

Scan this QR code to set up your Microsoft account in the Authenticator app.

Screenshot by Ed Bott

Open the Authenticator app on your mobile device, click the plus sign, and scan the QR code using the smartphone camera to add your new account. The result should look something like this:

After you make your account passwordless, the Change Password option will disappear.

Screenshot by Ed Bott

If you'd prefer to use another TOTP app, such as Authy or Google Authenticator, click "Use an app." In the "Set up the Microsoft Authenticator dialog, choose the option to set up a different Authenticator app. That produces a bar code that creates a standard 6-digit TOTP code that you enter when you need to authenticate. Note that you can use this option with Microsoft Authenticator as well. Choose the option to set up a different app and then add the account to Microsoft Authenticator using the supplied barcode. That will result in two entries, one that uses notifications, the other that uses TOTP codes.

Step 3: Set up at least two other ways to sign in

The Authenticator app provides an easy way to sign in without a password. But what happens if you lose your phone? That's when you need an alternative sign-in method. If you have two-step verification set up, you'll need two factors.

• Click "Email a code" to enter an alternate email address.
• Click "Show more options" to display the option to enter a phone number where you can receive a code via SMS. In addition to your personal phone, consider adding the phone number that belongs to your spouse or partner, which gives you an extra alternative if your own phone is lost or stolen.
• Select "Use an app" and set up a non-Microsoft authenticator app as described in Step 2. (Consider setting up that app on a phone other than your primary phone, if possible.)
• Choose the "Face, fingerprint, PIN, or security key" option to create a hardware-based passkey, using Windows Hello with face recognition or a fingerprint reader on a Windows PC, or an Apple iCloud Keychain passkey, using Touch ID on a MacBook. You can also use this option with a USB security key.
• If your password manager supports this feature, you can create a passkey that syncs between devices. Dashlane, 1Password, and Bitwarden all support passkeys.
  

Step 4: Create a recovery code and save it in a secure location

Do not skip this step!This is your "In case of emergency, break glass" option.

Go back to the "Manage how I sign in" page from Step 1 and scroll all the way to the bottom of the page. Under the "Recovery code" heading, click the option to generate a new code. Print it out and save the code in a safe location. Maybe consider sending a copy to a trusted family member who can stash it away in case you need it.

Also: If we want a passwordless future, let's get our passkey story straight

If all else fails, this code will make certain that you can recover your account. 

Step 5: Turn on the passwordless option

You don't have to do this step right away. All of the passwordless options you set up (Authenticator app, passkeys, and so on) will work right away. Give yourself a week or two to make sure everything's working as expected. When you're ready, go back to the "Manage how I sign in" page, scroll to the "Passwordless account" section, and turn that option on.

Windows

How to upgrade your 'incompatible' Windows 10 PC to Windows 11: Two waysMicrosoft blocked your Windows 11 upgrade? This tool can get the job doneWiping a Windows laptop? Here's the safest way to erase your personal data - for freeYou can still upgrade old PCs to Windows 11, even if Microsoft says no: Readers prove itMicrosoft to start charging for Windows 10 updates next year. Here's how muchThis hidden Windows 11 setting adds an 'End task' option to every task on your taskbar

• How to upgrade your 'incompatible' Windows 10 PC to Windows 11: Two ways
• Microsoft blocked your Windows 11 upgrade? This tool can get the job done
• Wiping a Windows laptop? Here's the safest way to erase your personal data - for free
• You can still upgrade old PCs to Windows 11, even if Microsoft says no: Readers prove it
• Microsoft to start charging for Windows 10 updates next year. Here's how much
• This hidden Windows 11 setting adds an 'End task' option to every task on your taskbar