What are Passkeys?
At their core, Passkeys are a modern, highly secure, and user-friendly replacement for passwords. They are built upon the WebAuthn (Web Authentication) standard and the FIDO Alliance’s Client to Authenticator Protocol (CTAP).
Think of them as the next evolution of FIDO2 security keys, but designed for broader usability and syncing across devices.
Instead of a user remembering a secret (password), a Passkey relies on public-key cryptography:
Key Pair Generation:
- Private Key: Stored securely on your device within a secure element. The private key never leaves your device.
- Public Key: Sent to and stored by the service (Entra ID) and associated with your user account.
Authentication:
- Entra ID sends a challenge to your browser/OS.
- Your browser/OS prompts you to use your Passkey.
- You unlock the private key using your device’s screen lock method (e.g., Face ID, Windows Hello).
- The device signs the challenge.
- The signed challenge is sent to Entra ID, which verifies it using the stored public key.
How Passkeys Work Specifically in Entra ID
Enablement (Admin Task):
Admins must enable FIDO2 security keys / Passkeys in the Entra ID portal (Authentication Methods Policy).
User Registration:
- Visit https://aka.ms/mysecurityinfo
- Choose “Add sign-in method” and select “Passkey (preview)” or “Security key”
- Choose where to save the Passkey:
- Synced Passkey: Uses phone/laptop and syncs via iCloud, Google, etc.
- Device-Bound Passkey: Uses a physical hardware key like a YubiKey.
- Authenticate to your device to generate the key pair and register with Entra ID.
User Authentication:
- Visit a Microsoft sign-in page.
- Enter username and choose “Sign in with a passkey”.
- Authenticate with your Passkey using biometrics or PIN.
- Entra ID sends a challenge; your device signs it and sends it back.
- Entra ID verifies the signature and grants access.
Benefits of Passkeys Over Traditional Passwordless Methods
| Feature | Passkeys (Synced/Discoverable) | Traditional FIDO2 Keys (Device-Bound) | Windows Hello for Business (WHfB) | Authenticator App (Passwordless Phone Sign-in) |
|---|---|---|---|---|
| Phishing Resistance | Highest | Highest | High | High |
| Usability/Convenience | Very High | Moderate | Very High | High |
| Cross-Device Sync | Yes | No | No | Yes |
| Cross-Platform | Yes | Yes | No | Yes |
| Need Separate Item? | No | Yes | No | No |
| Backup/Recovery | Managed by Platform | Difficult | Difficult | Good |
| Standardization | High | High | Moderate | Lower |
| Attack Surface | Relies on device/platform security | Isolated | TPM-backed | Phone/app security |
Key Advantages Summarized:
- Ultimate Phishing Resistance: Passkeys are tied to the website’s origin, blocking phishing attacks.
- Superior User Experience: Device unlock methods are faster than typing passwords or using codes.
- Cross-Device Availability: Passkeys sync across devices via platforms like iCloud or Google.
- No Shared Secret: No password or hash is stored server-side — only the public key.
- Reduced Friction: No more password resets, complexity rules, or rotation policies.
- Strong Standardization: Based on open standards for broad compatibility.
In essence: Passkeys combine FIDO2-level security with a streamlined user experience, cross-device syncing, and deep platform integration — making them ideal for secure, passwordless authentication in Entra ID and beyond.
CIAOPS 