Microsoft is urging users of its Authenticator app to transition to passkeys as the app's password autofill feature is set to be discontinued in August 2025. This move is part of Microsoft's broader strategy to eliminate passwords entirely and consolidate credential management under Microsoft Edge.

Timeline for the Transition

The deprecation of the password storage and autofill feature in Microsoft Authenticator is happening in phases:

• June 2025: Users will no longer be able to add or import new passwords into the Authenticator app.
• July 2025: The autofill function will cease to work within the Authenticator app, and all stored payment information will be deleted.
• August 1, 2025: All remaining saved passwords will be permanently deleted from the Authenticator app.

Why the Change?

Microsoft's decision to remove password support from Authenticator stems from the increasing prevalence of password-based attacks. The company reports that consumer accounts experience approximately 7,000 password-based attacks every second, including credential stuffing, phishing attempts, and password reuse exploits. Major security breaches involving billions of leaked credentials have further highlighted the vulnerabilities inherent in traditional password systems. Microsoft aims to provide a more unified user experience by consolidating password management within its Edge browser.

What are Passkeys?

As an alternative to passwords, Microsoft is championing passkeys, a modern authentication method developed by the FIDO Alliance and supported by major tech companies like Apple and Google. Passkeys utilize public-key cryptography, creating unique digital credentials stored securely on users' devices. These credentials can be accessed through biometric authentication (fingerprint or facial recognition) or device PINs. Passkeys are considered more secure due to several key characteristics:

• URL-specific: Passkeys only work on the website or app for which they were created, preventing their use on fake sites.
• Device-specific: Passkeys are restricted to the device where they were set up, thwarting unauthorized access from different devices.
• User-specific: Passkeys require a physical action like fingerprint or facial recognition, making it difficult for someone else to impersonate the user.

How to Prepare for the Transition

Authenticator users have a few options to ensure they don't lose access to their saved credentials:

1. Migrate to Microsoft Edge: Users can install Microsoft Edge on their mobile devices (iOS and Android) and sign in with their Microsoft account. This will securely sync saved passwords and addresses, allowing for continued autofill functionality. To set Edge as the default autofill provider, users can go to their device's settings and select Edge as the preferred service.
2. Export Passwords: Those who prefer not to use Edge can export their passwords from Microsoft Authenticator as a CSV file. This file can then be imported into a third-party password manager like Bitwarden or 1Password. To export passwords, users can navigate to Settings > Autofill > Export Passwords within the Authenticator app. Note that the exported CSV file is unencrypted, so it should be deleted after importing into another password manager.
3. Set up Passkeys: Users can set up passkeys for services and applications that support them. This involves using biometric data, PINs, or other methods to create a secure, device-specific credential.

Important Considerations

• The discontinuation of password autofill in Authenticator does not affect the app's two-factor authentication (2FA) capabilities or push notifications for Microsoft account logins. These features will continue to function normally.
• Any payment information stored in Authenticator will be deleted in July 2025 and will need to be manually re-entered if users switch to Edge.
• The transition to passkeys requires setting up individual passkeys for each service or application that supports them.
• Microsoft is recommending that users enable passkeys for their Microsoft accounts.

By taking these steps before August 1, 2025, Microsoft Authenticator users can ensure a smooth transition to passkeys or another password management solution and maintain secure access to their online accounts.