Microsoft Warns 1 Billion Windows Users—Do Not Use Password

Update: Republished on March 30 with news of a workaround to new sign-in requirements and more passkey information.

All change for Microsoft. The company has suddenly confirmed a major update “for over 1 billion end users,” as the deletion of passwords for all users becomes real. Your Microsoft password, it warns, “could be easily forgotten or guessed by an attacker,” and it’s now time “to completely remove the password from your account.”

“The password era is ending,” Microsoft warned in December. “Bad actors know it, which is why they’re desperately accelerating password-related attacks while they still can.” With “7,000 attacks on passwords [blocked] per second… almost double from a year ago,” the company is on a mission to “convince a billion users to love passkeys.”

A passkey replaces password and two-factor authentication (2FA) codes with account authentication linked to your hardware devices or devices and secured by the same security that unlocks that device, most likely your fingerprint or your face. Unlike passwords, this means a passkey cannot leak or be stolen as it requires that physical hardware device. And unlike 2FA, it cannot be intercepted or bypassed.

Microsoft says passkeys are “the future of authentication, and for good reason! They’re incredibly easy to use and intuitive, eliminating the need for complicated password creation processes and the hassle of remembering them. Plus, they’re unique to each website or application, so you don’t have to worry about someone using your passkey to access other services. And unlike passwords, passkeys are resistant to phishing attempts, making them a much more secure option. Best of all, you can use your passkey across all your devices, so you never have to worry about forgetting your password again!”

This latest update is the next stage of that shift from passwords to passkeys. “By the end of April, most Microsoft account users will see updated sign in and sign-up user experience for web and mobile apps.” This has enabled the company “to rethink the default experiences for sign in, putting even greater emphasis on usability and security — our new UX is optimized for a passwordless and passkey-first experience.”

Microsoft explains that when signing up for a new account, just entering your email address will be enough. “You don’t have to create a new Microsoft password… All you need to do is verify the email with a one-time code, and this becomes the default credential for your new account, so you start off passwordless.”

Once signed in, users will then create their passkeys. “We’re also updating the Microsoft account sign in logic, so your passkey is the default sign in choice whenever possible, because passkeys are more secure and three times faster than passwords.”

Microsoft has been very clear as to why adding passkeys is not good enough if passwords remain on the account. “Even if we get our more than one billion users to enroll and use passkeys, if a user has both a passkey and a password, and both grant access to an account, the account is still at risk for phishing.”

That’s why password deletion is the goal, and it’s becoming more critical with new AI-fueled attacks and successful 2FA compromises making weekly headlines. “Our ultimate goal is to remove passwords completely and have accounts that only support phishing-resistant credentials,” Microsoft says. “Millions of users have deleted their passwords.”

“The FIDO Alliance has been laser focused on eliminating the world’s dependence on passwords for over a decade,” its CEO Andrew Shikiar told me. “This is an exciting and seminal milestone as Microsoft is taking passwords out of play for over a billion user accounts, who can now instead leverage user-friendly, phishing-resistant passkeys.”

Kudos to Microsoft for the clarity and simplicity of its messaging here. The adoption of passkeys is accelerating, with HYPR confirming this week that “phishing-resistant authentication, led by FIDO passkeys, is projected to become the most widely deployed authentication method within two years.” But there’s much more still to be done.

What we need now is the same password deletion clarity from all other major platform providers to ensure this shift is wholesale. Google, in contrast to Microsoft, talks about passwords remaining as a backup credential for account access. But per Microsoft’s warning, this leaves a vulnerability in place. This should be the year we see consistent advice on passkeys and the eradication of password and simple 2FA usage.

“I think it’s fair to say that most companies that deploy passkeys do so with the ultimate intent of password deletion.” Shikiar suggests. “Microsoft’s leadership in doing so today will help encourage more service providers to do the same, which moves us collectively closer to the day when passwords are fully in our rear-view mirror.”

“In 2022, we made it possible for users to completely remove their password and sign in with alternative methods,” Microsoft says. “Since then, millions of users have deleted their passwords and protected themselves against password-based attacks. Now with passkeys, we can truly replace passwords with something faster, safer, and easier to use. It’s an ambitious vision, but we firmly believe in a phishing-resistant future for all scenarios, including account recovery and bootstrapping.”

FIDO’s data suggests that “passkey familiarity [is] growing” and growing quickly. “In the two years since passkeys were announced and made available for consumer use, passkey awareness has risen by 50% from the 39% who said they were familiar in 2022 to 57% in 2024.” And critically given password deletion plans now coming to the fore, “the majority of those familiar with passkeys are enabling the technology to sign in. Meanwhile, despite passwords remaining the most common way for account sign-in, usage overall has declined as alternatives rise in availability.”

“To make sure we got our passkey experience right,” Microsoft says, “we adopted a simple methodology: Start small, experiment, then scale like crazy. The results have been encouraging:

• Signing in with a passkey is three times faster than using a traditional password and eight times faster than a password and traditional multifactor authentication.
• Users are three times more successful signing in with passkeys than with passwords (98% versus 32%).
• 99% of users who start the passkey registration flow complete it.”

Microsoft says “passkey adoption is a virtuous cycle, and transitioning the world away from passwords is bigger than any one company. As more relying parties prioritize passkey support, passkeys will first become recognized, then familiar, then expected—everywhere you sign in. As people become increasingly familiar with the usability and security benefits of passkeys, they’ll be more likely to enroll and use them on more sites. Together, we can convince billions and billions of users to enroll passkeys for trillions of accounts! We’re proud to be part of this collective effort and hope you will share learnings as well as you progress in your passkey journey.”

It’s not all good news from Microsoft on the account front, though. As reported by Windows Central, the Windows-maker has also “confirmed that it’s removing a popular command line that allowed users to bypass connecting to the internet and signing into a Microsoft Account when setting up a new Windows 11 PC.”

This refers to “bypassnro,” that has allowed users to enter a command prompt during Windows Setup “to skip connecting to the internet, therefore bypassing the Microsoft Account requirement.” But not any longer — which won’t land well with affected users.

“We’re removing the bypassnro.cmd script from the build to enhance security and user experience of Windows 11,” Microsoft has just confirmed in a dev blog. “This change ensures that all users exit setup with internet connectivity and a Microsoft Account.”

For those still wanting to make use of the bypass, there is a workaround, albeit it’s more painful than before. Windows Latest reports that it’s still possible to install a fresh copy of Windows 11 without a Microsoft account. Microsoft has made the process slightly more complicated, as Windows 11 now requires you to create a Registry entry before you can bypass the Microsoft account requirement.” In short, “Microsoft has only removed the bypassnro.cmd script, the bypass itself still exists.”

This means using the Registry Editor as follows:

1. “On the ‘Let’s connect you to a network’ screen, press Shift + F10 to open Command Prompt.
2. Type regedit to open the Registry Editor.
3. In Registry Editor, navigate to: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionOOBE
4. Right-click on the blank space in the right panel and select:
5. New > DWORD (32-bit) Value
6. Name it exactly: BypassNRO
7. Double-click BypassNRO, and set the value data to 1.
8. Close Registry Editor.
9. Restart.”

The alternative, Windows Latest says, is to run this script from a Command Prompt:“reg add “HKLMSOFTWAREMicrosoftWindowsCurrentVersionOOBE” /v BypassNRO /t REG_DWORD /d 1 /f”