Passkeys: Microsoft’s Solution to 7,000 Password Attacks Per Second
The password era is coming to an end, and Microsoft is leading the charge with passkeys, a next-generation authentication method designed to enhance both security and user experience. In a recent blog, Microsoft revealed its ambitious efforts to convince over a billion users to adopt passkeys and transition into a passwordless future.
Microsoft shared staggering statistics underscoring the urgency for change: “We block 7,000 attacks on passwords per second—almost double from a year ago. At the same time, adversary-in-the-middle phishing attacks increased by 146% year over year.” Passkeys provide a solution to these pervasive issues by offering phishing-resistant credentials.
Unlike passwords, passkeys rely on biometrics (face or fingerprint recognition) or a secure PIN. They eliminate common vulnerabilities, such as forgotten passwords and one-time codes, while also improving user experience. Microsoft highlights that passkeys are “three times faster than using a traditional password and eight times faster than a password and multifactor authentication.”
Microsoft adopted a structured methodology to roll out passkeys successfully: Start Small, Experiment, and Scale. In May 2024, Microsoft introduced passkey support for services like Xbox, Microsoft 365, and Copilot. Users could create passkeys via their Microsoft account settings or during sign-in.
Microsoft discovered that a proactive approach—inviting users to enroll passkeys during key moments like sign-in or password reset—yielded better results. According to their findings, “About 25% of users who saw a nudge engaged with it—five times our pre-launch expectations.” Messaging focusing on speed and security resonated more with users than ease of use, with enrollment rates of 24% and 27%, respectively.
Microsoft revamped the sign-in experience to prioritize passkeys. If a passkey is available, it becomes the default sign-in method. For users without a passkey, the system prompts them to enroll immediately after signing in.
Microsoft’s ultimate goal is to eliminate passwords entirely, creating accounts that only support phishing-resistant credentials. In 2022, they introduced the ability for users to delete their passwords and rely solely on alternative methods like Windows Hello or FIDO-based devices. With passkeys, this vision is becoming a reality.
“Now with passkeys, we can truly replace passwords with something faster, safer, and easier to use,” Microsoft states, projecting hundreds of millions of new passkey users in the coming months.
