Microsoft has confirmed plans to delete passwords for a billion users. "The password era is ending," it says, warning those users that "bad actors know it, which is why they're desperately accelerating password-related attacks while they still can."

The company now "blocks 7,000 attacks on passwords per second... almost double from a year ago." It has also seen adversary-in-the-middle phishing attacks increase by 146% year over year." All of which is bad news. But there's good news to come, it says, "we've never had a better solution to these pervasive attacks: passkeys."

In a blogpost published on Thursday, Microsoft sets out the ways in which it plans to "convince a billion users to love passkeys," through insightful design. "Passkeys not only offer an improved user experience by letting you sign in faster with your face, fingerprint, or PIN, but they also aren't susceptible to the same kinds of attacks as passwords. Plus, passkeys eliminate forgotten passwords and one-time codes."

Passkeys have been accelerating in adoption this year. "In the two years since passkeys were announced and made available for consumer use, the FIDO Alliance reported a few weeks ago, "passkey awareness has risen by 50%, from 39% familiar in 2022 to 57% in 2024."

And just like Microsoft, ease of use it says is important as improved security. "The majority of those familiar with passkeys are enabling the technology to sign in... Meanwhile, despite passwords remaining the most common way for account sign-in, usage overall has declined as alternatives rise in availability."

Microsoft's blogpost is all about furthering that adoption curve, because as ever it will be the last 30-40% of users that will be the hardest to convince. "Somehow, we had to convince an incredibly large and diverse population to permanently change a familiar behavior -- and be excited about it. We asked ourselves: How are we going to convince more than a billion people to love passkeys as much as we do?"

And once that's done, the data suggests there will be no turning back:

I like the three-step approach Microsoft sets out -- start small through simple first steps, experiment with different approaches, and finally scale.

"Even if we get our more than one billion users to enroll and use passkeys," Microsoft says, "if a user has both a passkey and a password, and both grant access to an account, the account is still at risk for phishing. Our ultimate goal is to remove passwords completely and have accounts that only support phishing-resistant credentials." The company offered password deletion back in 2022, and now reports that "millions of users have deleted their passwords."

It's really that simple. You should use passkeys everywhere they're available. This ties the secure access to an account, app or service to the physical hardware you're using, which is protected by biometric access and a PIN code that is never shared or held off-device. It's more secure than 2FA even, given that most 2FA is SMS message based and can be intercepted by a rogue app on the device.