Introduction
Passwords are insecure, difficult to manage, and often the weakest link in IT security. Microsoft is pushing forward with passwordless authentication using Passkeys in Entra ID. But what exactly are Passkeys, and how do they differ from traditional FIDO2 keys or the Microsoft Authenticator? In this article, we explore the benefits, drawbacks, and practical setup steps for using Passkeys in Microsoft 365.
By implementing Passkeys, organizations can enhance security, simplify the user experience, and reduce the risks associated with phishing and credential theft. Understanding how Passkeys function and how to deploy them effectively is crucial for IT administrators and security professionals.
What Are Passkeys?
Passkeys are an evolution of FIDO2 authentication, enabling users to sign in without a username and password. Instead, they rely on a cryptographic key pair, securely stored on a trusted device. The private key remains on the device, while the public key is registered with Microsoft Entra ID.
Simply put: Passkeys replace passwords with a secure, phishing-resistant authentication method using biometrics or a security key.
Passkeys are designed to eliminate common security vulnerabilities associated with traditional passwords. Users no longer need to remember complex passwords, and attackers cannot steal Passkeys through phishing attacks, keylogging, or credential stuffing.
Retrieve Current Authentication Methods in Entra ID
For an overview of the current authentication methods configured for users, check out this article. There is a Powershell Snipplet, where you can retrieve the current Authentication Methods easily!
FIDO2 vs. Passkeys: What’s the Difference?
| Feature | FIDO2 Security Key | Passkeys |
|---|---|---|
| Storage | External hardware (USB, NFC) | Smartphone, laptop, or cloud synchronization |
| Sign-in Method | PIN or fingerprint + hardware | Face ID, fingerprint, or device unlock |
| Phishing Resistance | High | High |
| Device Agnostic? | No – requires physical presence | Yes – usable across multiple devices |
| Use Cases | High-security enterprises | Broad adoption for users & businesses |
- Passkeys offer more flexibility than traditional FIDO2 security keys, as they can sync across multiple devices.
- Unlike FIDO2 keys, Passkeys provide a seamless authentication experience across devices and platforms without requiring dedicated hardware tokens.
Passkeys with Native Apps vs. Authenticator: Which Is Better?
Microsoft provides two main methods for using Passkeys in Entra ID:
1. Passkeys with Native Apps (Windows Hello, macOS Touch ID, Android Face Unlock)
- Best for devices with built-in biometric authentication.
- Works seamlessly on Windows, macOS, iOS, and Android.
- Minimal setup effort, as no additional app is required.
- Suitable for organizations looking for a frictionless user experience.
2. Passkeys with Microsoft Authenticator
- Works on any device with the Authenticator app.
- Enables secure authentication from third-party devices, even without built-in biometrics.
- Ideal if a device does not natively support Passkeys.
- Ensures broader accessibility and flexibility for users across various device types.
How to Set Up Passkeys in Entra ID and Microsoft Authenticator
Setting up Passkeys is straightforward. Here’s how to enable them for seamless authentication:
Setting Up Passkeys in Entra ID
- Sign in to the Microsoft Entra Admin Center.
- Navigate to Manage → Security → Authentication Methods.
- Enable Passkeys (preview).
- Configure the policy to allow FIDO2 security keys and device-bound Passkeys.
- Assign the authentication method to the relevant user groups.
You can configure it like that for a „soft“ start
That means, Users can Add their Passkey by them self, it is not mandatory and there are no restrictions (So you can use e.g. your Passwords App on iPhone or the Authenticator)
Adding a Passkey to Microsoft Authenticator
- Open the Microsoft Authenticator app on your phone.
- Navigate to your Account → Create Passkey.
- Scan the QR Code shown on your Entra ID sign-in page. Use that link. Sign in to your Entra Account, Click on „Add sign-in“ Method and select „Security Key or Passkey“
- Confirm using Face ID, fingerprint, or device unlock.
- Your Passkey is now registered and can be used for authentication.
Signing in with a Passkey
Microsoft Entra ID allows users to sign in with a Passkey, offering a seamless passwordless experience. Follow these steps:
- On the Microsoft sign-in page, select Sign in with a Passkey.
- Choose Authentication options and select Passkey.
- Follow the on-screen instructions to authenticate using a Passkey stored on your device.
- If using a mobile device, scan the provided QR code and confirm the login via your Face ID, fingerprint, or device unlock.
- Once authenticated, you will be signed into your Microsoft 365 account securely.
Below are screenshots demonstrating the process:
Pros and Cons of Passkeys in Microsoft 365
Advantages:
- Maximum security: Phishing-resistant, no password exposure.
- Ease of use: No complex password management.
- Cross-device support: Works on phones, laptops, and security keys.
- Direct Microsoft 365 integration: Simple management for IT admins.
Disadvantages:
- Device dependency: Losing a device can be problematic without a backup method.
- Limited compatibility: Some legacy systems and apps do not support Passkeys yet.
- Transition effort: Organizations need to train users and adjust authentication policies.
Best Practices for Businesses Implementing Passkeys
- Check device compatibility: Ensure all corporate devices support Passkeys or FIDO2 authentication.
- Start with a pilot program: Test with a small group before rolling out organization-wide.
- Plan a backup strategy: Define alternative sign-in options in case of device loss.
- Educate users: Inform IT teams and employees about benefits and usage.
- Adjust security policies: Update MFA and Conditional Access rules accordingly.
Conclusion: Passkeys Are the Future – But Preparation Is Key
Microsoft Entra ID is paving the way for secure and user-friendly authentication with Passkeys. Organizations should evaluate how they can integrate Passkeys into their Microsoft 365 environment. With the right strategy, the transition can enhance both security and user experience.
Have questions or need help implementing Passkeys? Contact us for further guidance.
