Microsoft is warning users that saved passwords will soon be deleted from its Authenticator app, as it phases out the feature in favour of Edge and passkeys.

Major Changes Coming to Microsoft Authenticator

Millions of Microsoft users are being urged to take action ahead of a planned overhaul to the Microsoft Authenticator app. Microsoft says that from August 2025, the app will no longer store or provide access to saved passwords. The change is apparently part of Microsoft’s wider push towards a passwordless future and will directly impact individuals and businesses who rely on Authenticator to manage credentials.

The phased retirement of password and autofill functionality in the app begins this month (June 2025) and ends with permanent deletion in August.

Improved Security and Streamlining

Microsoft says the move is intended to improve account security and streamline its identity tools, but critics have raised concerns about user disruption and the company’s growing dependence on its Edge browser.

What Exactly Is Happening And When?

According to Microsoft’s official support documentation, the changes will roll out in three key stages:

– From June 2025, users will no longer be able to add or import new passwords into the Authenticator app. The app will still autofill existing saved passwords for a short time.

– During July 2025, the autofill feature will be fully disabled, and any stored payment information will be deleted from user devices.

– From August 2025, all previously saved passwords will be permanently inaccessible in the Authenticator app. Any passwords generated through the app but not saved will also be lost.

Microsoft is, therefore, urging users to export their passwords before the August deadline or risk losing them permanently.

Microsoft’s Password Problem

At the heart of the decision is the fundamental issue that passwords are no longer seen as being secure. For example, Microsoft’s internal data suggests the scale of the threat has worsened. In a blog post published last December, the company said it was blocking an average of 7,000 password attacks per second, nearly double the rate from the previous year. Phishing campaigns, brute-force attacks, and credential stuffing continue to rise.

As the blog noted, “Bad actors know [passwords are dying], which is why they’re desperately accelerating password-related attacks while they still can.”

It should be noted here that Microsoft is not alone in this assessment. For example, data from the FIDO Alliance shows that over 35 per cent of people have had at least one online account compromised due to password vulnerabilities. Meanwhile, 54 per cent of those familiar with passkeys say they’re more convenient than passwords, and 53 per cent say they’re more secure.

It seems that Microsoft sees this moment as an opportunity to transition users to more modern authentication methods, particularly passkeys, i.e. credentials tied to biometric data like fingerprints or facial recognition, which are less vulnerable to traditional forms of hacking.

A Nudge Towards Microsoft Edge

In practical terms, Microsoft is also consolidating its password management services under its Edge browser. Users who still want Microsoft to handle their credentials are being directed to switch to Edge, where passwords, addresses, and other autofill data can be securely stored in their Microsoft account.

A new splash screen in the Authenticator app now encourages users to “Turn on Edge” for this purpose. Microsoft notes that passwords are synced with the user’s Microsoft account and can be accessed by signing into Edge, where they are stored under Settings > Passwords.

This change isn’t just about security. It’s clear that this move is also designed to help strengthen Microsoft’s long-standing campaign to increase adoption of its browser. As part of this push, password autofill services are no longer available through Authenticator in Chrome, Safari, or other third-party browsers. Users who don’t want to use Edge are advised to export their passwords and switch to an alternative password manager such as Google Password Manager or iCloud Keychain.

What About Passkeys and 2FA?

Although password storage is being removed, the Microsoft Authenticator app itself isn’t going anywhere. It will continue to support two-factor authentication (2FA), including time-based one-time passwords (TOTP) and biometric logins.

More importantly, Authenticator will remain central to Microsoft’s passkey system. If users have already enabled passkeys for their Microsoft account, they must keep Authenticator enabled as their designated passkey provider. Disabling the app may break access to those accounts.

Passkeys “Superior”

Microsoft says passkeys offer a “superior user experience” by enabling faster logins that are resistant to phishing and replay attacks. But the technology is still in early stages, and many websites and systems, especially in the enterprise world, have yet to adopt it widely.

What Users Need To Do

For individual users, the priority is clear, i.e. export any saved passwords from Authenticator before 1 August 2025. Microsoft warns that any unsaved credentials will be lost, and payment details stored in the app will be deleted by July.

To keep using Microsoft’s ecosystem, users can set Microsoft Edge as their autofill provider on iOS or Android. Those wanting to move to a different platform must export their credentials, then import them into the new tool.

More Complex For Business Users

However, as may be expected, it seems that business users, especially those in IT administration roles, face more complexity. This is because many organisations use Authenticator not only for employee 2FA, but also as a password vault for accessing internal systems and client accounts. The removal of this functionality could lead to operational disruption if not properly managed.

Enterprises will, therefore, need to review whether Edge is suitable across their environments, or whether to transition to third-party tools like Keeper, 1Password, LastPass, or Bitwarden, and others, many of which offer team vaults and admin controls.

Microsoft has published step-by-step guides for exporting credentials from the app and importing them into Edge. However, the company also warns that when exporting passwords, they are no longer encrypted in transit. Users must delete the exported file immediately after import to avoid exposing sensitive information.

Criticism and Concerns

Despite the security rationale given by Microsoft, the move hasn’t gone without criticism. For example, some users see it as an aggressive tactic to push people towards Microsoft Edge. Others are concerned about losing the flexibility that came with Authenticator’s cross-browser compatibility.

The change also comes at a time when Microsoft has faced growing scrutiny over its handling of security. Recent phishing campaigns targeting Microsoft accounts have used Google Apps Script to host realistic-looking fake login pages, tricking users into entering credentials. By removing password storage and advocating for passkeys, Microsoft is positioning itself as proactive, but some argue the change is reactive to recent threats.

Also, many IT professionals, including managed service providers (MSPs), have expressed reservations about using browsers to store sensitive information such as passwords. While Microsoft maintains that Edge is a secure, enterprise-grade browser with built-in defences like Defender SmartScreen and Password Monitor, it remains the case that most security-conscious businesses recommend dedicated password managers instead.

Some MSPs, for example, point users towards platforms like Keeper, which offer stronger access control, audit trails, and encryption options tailored for business environments. Even mainstream alternatives like LastPass (once widely used) have lost trust following a high-profile security breach in 2022, which saw attackers steal encrypted vault data. This has left many in the industry sceptical of relying solely on browser-integrated tools for credential storage.

As a result, it seems that IT teams now face a more difficult decision. Microsoft’s advice to migrate to Edge may be convenient, but it is unlikely to satisfy organisations with strict compliance policies, high-value systems, or users working across multiple platforms. For many, this change serves as a prompt to reassess their overall password and identity management strategy—and not simply swap one tool for another.

Also, it should be noted that, quite simply, not all users or organisations are ready for a passwordless future. Adoption of passkeys remains patchy, and migrating authentication systems requires time, budget, and user training. For small businesses or non-technical users, these changes may be frustratingly complex.

Microsoft appears to be aware of these challenges but remains committed to the transition. As the company put it, “The password era is ending”—and with password-based attacks continuing to rise, the shift may be less about convenience and more about survival.

What Does This Mean For Your Business?

The next few months may be critical for users and organisations who rely on Microsoft Authenticator for password storage. While the company has made its intentions clear and set out a defined timeline, the practical implications are not quite so straightforward. Users will need to act quickly to export their credentials, and those choosing to remain within Microsoft’s ecosystem will need to familiarise themselves with Edge’s autofill features. For many, this will simply be a matter of adjustment. However, for others, particularly in business environments where systems, devices and browsers vary, the change raises more complex operational and security considerations.

For businesses, the impact could be significant. Many will now be forced to re-evaluate how they manage shared logins, administrative access and compliance-sensitive credentials. Microsoft’s preference for its own browser may not align with existing IT policies, particularly in organisations where Chrome or Safari is the standard. Also, while Microsoft promotes Edge as a secure alternative, longstanding guidance from many managed service providers in the UK still discourages storing passwords in any browser. Instead, tools like Keeper (there are other tools), favoured by many MSPs for their advanced controls and business-grade encryption, are often recommended as more robust alternatives.

At the same time, Microsoft’s strategy seems to reflect a wider shift that is now shaping the security landscape. Passwords have long been a weak point, and with attack volumes rising year on year, the company’s decision to pivot towards passkeys is consistent with broader industry trends. However, the reality is that many businesses, especially smaller ones, are not yet equipped to make this leap. Compatibility gaps, legacy systems, and limited resources all present barriers to adoption. Without careful planning and communication, the risk is that essential authentication processes could be disrupted or improperly migrated.

What’s clear in all this is that Microsoft is pushing ahead regardless. By retiring password storage from Authenticator and tying remaining functionality to Edge and passkeys, the company is accelerating a shift that many see as inevitable. Whether this benefits users in the short term may depend less on Microsoft’s vision and more on how quickly organisations can respond, adapt and put the right alternatives in place. For now, IT teams will need to weigh the convenience of Microsoft’s path against the operational demands and risks that come with changing how people log in.