Microsoft Starts Deleting Your Passwords In 4 Weeks—Act Now

As I warned last week, Microsoft is now making changes to user accounts after warning that “the password era is ending” and that “bad actors know it” and are “desperately accelerating password-related attacks while they still can.”

This affects its Authenticator App and starts now with an end to autofill. This enabled users to “securely store and autofill passwords on apps and websites you visit on your phone,” but from this month “you will not be able to use autofill with Authenticator.”

The much more serious change comes just four weeks from now. “From August,” Microsoft warns, “your saved passwords will no longer be accessible in Authenticator.” That means you need to act now to move them somewhere else.

ForbesGoogle Update Warning—30% Of All Android Users Now At RiskBy Zak Doffman

I have warned about this before, but with the clock fast ticking down, user warnings are now coming thick and fast (1,2,3). Hopefully, this means no users will be caught out, not realizing that Microsoft is making this change until it’s too late.

“After August, 2025,” Microsoft warns, “your saved passwords will no longer be accessible in Authenticator and any generated passwords not saved will be deleted.”

This is all part of Microsoft’s push for users to delete account passwords altogether and to use passkeys instead. Passwords are a huge security risk. Just look at the recent news flow around 16 billion breached passwords. Even though that story was misleading, there are still billions of stolen passwords out in their wild.

Google and others say the same. Even with two-factor authentication (2FA), a user name and password is not a secure way to access your account. 2FA can be intercepted or bypassed. Passkeys link your account to your device security, requiring device biometrics or PIN to login. As such, there’s nothing to steal, intercept or even share.

ForbesIf You See These Messages On Your PC, You’re Being HackedBy Zak Doffman

As the FIDO Alliance explains, “passkeys are phishing resistant and secure by design. They inherently help reduce attacks from cybercriminals such as phishing, credential stuffing, and other remote attacks. With passkeys there are no passwords to steal and there is no sign-in data that can be used to perpetuate attacks.”

Passwords stored in Authenticator can easily be moved to Edge or you can export them to a different password manager of your choice. But you should really take this as an opportunity to add passkeys to all your key accounts.

Unsurprisingly, Authenticator will continue to support passkeys. “If you have set up Passkeys for your Microsoft Account, ensure that Authenticator remains enabled as your Passkey Provider. Disabling Authenticator will disable your passkeys.”