Microsoft is implementing a significant change to its account authentication system starting February 2025. Under the new system, users stay signed in across sessions unless they sign out explicitly.

To better understand the change, it is necessary to look at how sign ins are handled currently by Microsoft. When you sign in to a Microsoft account in a web browser, a "stay signed in" prompt is displayed after you provide username, password, and the optional two-factor authentication verification.

Tip: check out our review of the best authenticator apps for Android and iOS.

When you decline, you stay signed in for the session only. When you accept it, you stay signed in even across sessions. This prompt is going away starting in February.

Here are the details:

• The change affects all Microsoft services, including Outlook, OneDrive, Microsoft 365, and other services and products that support login.
• A new global sign out option is available.

Security implications

While the change may look minor on first glance, it may have serious consequences on shared or public computer systems.

Here, it is necessary to sign out explicitly, as the next user may access the Microsoft account and linked services otherwise.

One way around this is to use a browser's private browsing mode on shared or public computer systems. Sign ins and any other activity is only kept for the browsing session. Once you close the browser, all data, including Microsoft account data, is no longer available.

Microsoft even suggests to use private browsing on devices that you do not own on the sign in page.

Best option remains to avoid signing in to any service on computers or devices that you do not have full control over.

The Global sign out option

Microsoft customers who forget to sign out on systems that others have access to may trigger a global sign out to force a sign out on all systems.

Here is how that works:

1. Open this Microsoft support page.
2. Select the "sign in" button on the page. A new page opens that asks you to sign in, if you have not already.
3. Scroll down on the additional security options webpage until you get to the sign out everywhere section.
4. Activate the sign out everywhere link.
5. Confirm the prompt by selecting "sign out".

Microsoft notes that this may take up to 24 hours. In other words, there is a 24 hour window in which others may still access Microsoft account related services on other devices.

Closing Words

The change impacts mostly Microsoft customers who sign in to their accounts on public or shared devices. Others may also be impacted, but to a lesser degree.

What is your take on the change? How do you handle sign ins on the Web? Feel free to leave a comment down below.