Next month, saved passwords will no longer be in Microsoft’s Authenticator app

Original Article ↗ Hacker News Discussion ↗

Clarifying what Microsoft is changing

  • Discussion repeatedly notes the article is misleading: Microsoft Authenticator’s autofill and local password storage are being removed, not passwords from Microsoft accounts.
  • Saved passwords remain in the Microsoft account and can be accessed and autofilled via Edge (including as an iOS/Android autofill provider), without needing to browse with Edge.
  • Users see in‑app warnings: autofill via Authenticator ends July 2025; passwords remain available through Edge; export is possible until then.

Enterprise and forced Authenticator use

  • Many employers mandate Microsoft Authenticator (often push-based) on employees’ personal phones, which some see as disrespectful of personal boundaries and risky from IT and privacy standpoints.
  • Others argue small businesses can’t afford separate work phones; suggestions include YubiKeys or desktop-based authenticators like WinAuth.

Passkeys: goals and potential benefits

  • Some applaud a major player pushing passwordless auth, citing resistance to phishing, credential stuffing, and server-side password leaks.
  • Passkeys can embed multiple factors (device + PIN/biometrics), avoid SMS, and theoretically improve UX when well integrated with platforms and password managers.

Passkeys: UX, recovery, and real-world problems

  • Many commenters report confusion and failures: multiple device-bound passkeys, unclear selection, broken logins after device changes, and poor mental models.
  • Concerns center on recovery (lost/stolen/broken phones), use on borrowed/office devices, offline/analogue backup, and support for non-technical users.
  • Sharing access (e.g., family accounts, Netflix‑style scenarios) is seen as much harder than with passwords.

Vendor lock‑in, attestation, and control

  • Strong fear that passkeys tie users to platform ecosystems (Apple/Google/Microsoft), with poor export and cross‑platform sync today.
  • Attestation and “approved providers” are viewed as enabling walled gardens and potential exclusion of open‑source tools (e.g., KeepassXC controversy).
  • Some see this as part of a wider move toward “secure computing” and remote attestation that can restrict which devices may access key services.

Alternatives and user preferences

  • Many recommend third‑party managers (Bitwarden, KeePass, 1Password, Proton Pass), some already managing passkeys.
  • Several users intend to stick with unique passwords + TOTP (or hardware keys) stored in a password manager, seeing limited benefit from passkeys relative to added complexity.