Public preview: Expanding passkey support in Microsoft Entra ID
We really, really want to eliminate passwords. There’s really nothing anyone can do to make them better. As more users have adopted multifactor authentication (MFA), attackers have increased their use of Adversary-in-the-Middle (AitM) phishing and social engineering attacks, which trick people into revealing their credentials.
How can we defeat these attacks while making safe sign-in even easier? Passkeys!
A passkey is a strong, phishing-resistant authentication method you can use to sign in to any internet resource that supports the W3C WebAuthN standard. Passkeys represent the continuing evolution of the FIDO2 standard, which should be familiar to anyone who’s followed or joined the passwordless movement. We already support signing into Entra ID using a passkey hosted on a hardware security key and today, we’re delighted to announce additional support for passkeys. Specifically, we’re adding support for device-bound passkeys in the Microsoft Authenticator app on iOS and Android for customers with the strictest security requirements.
Before we describe the new capabilities we’re adding to Microsoft Authenticator, let’s review the basics of passkeys.
Passkeys neutralize phishing attempts
Passkeys provide high security assurance by applying public-private key cryptography and requiring direct interaction with the user. As I detailed in a previous blog, passkeys benefit from “Verifier Impersonation Resistance":
- URL-specific. The provisioning process for passkeys records the relying party’s URL, so the passkey will only work for sites with that same URL.
- Device-specific. The relying party will only grant access to the user if the passkey is synched, stored, or connected to the device from which they’re requesting access.
- User-specific. The user must prove they’re physically present during authentication, usually by performing a gesture on the device from which they’re requesting access.
Together, these characteristics make passkeys almost impossible to phish.
You can host passkeys on dedicated hardware security keys, phones, tablets, and laptops
Users can host their passkeys on dedicated hardware security keys (such as FIDO2 security keys) or on user devices such as phones, tablets, or PCs. Windows 10/11, iOS 17, and Android 14 are examples of user device platforms that support passkeys. Each supports signing in with a passkey hosted directly on the user device itself or by connecting to a nearby user device or security key that hosts the passkey, such as a mobile device within Bluetooth range, an NFC-enabled security key, or a USB security key plugged into the user device.
If your organization issues dedicated hardware security keys, you sign-in by inserting your key into the USB port or tapping it to the NFC scanner and perform the PIN or biometric verification it requires.
To sign-in using a passkey on a user device, simply scan your face or fingerprint with your device or enter your device PIN. It’s also simple to sign-in to an application on a separate device, such as a new phone or a PC. Point the camera of the device hosting your passkey at the QR code displayed on the separate device and use your passkey along with your biometric or PIN to sign in. You may have already followed this process by using an Android or iPhone to sign into services such as Amazon.com.
Passkeys may be device-bound or syncable
Depending on the scenario, you may prefer a device-bound passkey or a syncable passkey.
A device-bound passkey, as the name suggests, never leaves the device to which it’s issued. If you sign-in using a security key or Windows Hello, you’re using a device-bound passkey. By definition, you can’t back up or restore a device-bound passkey because during these operations the passkey would leave the hardware element. This restriction is important for organizations that must, sometimes by law, protect passkeys from any security vulnerabilities that could arise during synchronization and recovery.
While they offer strong security, dedicated hardware keys can be expensive to issue and manage. If you lose, replace, or destroy the dedicated device, you must provision a brand-new passkey on a new device. And since device-bound passkeys aren’t portable or recoverable, they increase friction for people trying to move away from passwords. To simplify the experience for users who don’t operate in highly regulated environments, the industry introduced support for syncable passkeys. You can back up and recover a syncable passkey, which makes it possible to share the same passkey between devices or to restore it if you lose or upgrade your device—there’s no need to provision a new one.
Syncable passkeys on user client devices are easy to use, easy to manage, and offer high security
Syncable passkeys on user devices are exciting because they address many of the toughest usability and recoverability challenges that have confronted organizations trying to move to passwordless, phishing-resistant authentication. Hosting the passkey on the user’s device means organizations don’t have to issue or manage a separate device, and syncing it among the user’s client devices and the cloud massively reduces the expense of recovering and reissuing device-bound keys. And on top of all this, replacing passwords with passkeys thwarts more than 99% of identity attacks.
We expect this combination of benefits will make syncable passkeys the best option for the vast majority of users and organizations. Android and iOS devices can host syncable passkeys today, and we’re working to add support in Windows by this fall. Our roadmap for 2024 includes support for both device-bound and syncable passkeys in Microsoft Entra ID and Microsoft consumer accounts. Stay tuned for further announcements later this year.
Device-bound passkeys in Microsoft Authenticator
Industry or governmental regulation, or other highly strict security policies, require that some enterprises and government agencies use device-bound passkeys for signing in to Microsoft Entra. This small fraction of organizations has strict requirements governing the recovery of lost credentials and for preventing employees from sharing credentials with anyone else. Nonetheless, these organizations also want the usability, manageability, and deployment benefits of storing passkeys on user-client devices such as mobile phones.
Advantages of hosting passkeys on a user device:
|
We know that device-bound keys are a must-have for many of our largest, most regulated and most security conscious customers. That’s why we’ve been collaborating with these customers, along with the broader FIDO community, to provide additional options. As part of this work, we’re adding support for device-bound passkeys in the Microsoft Authenticator app on iOS and Android. Instead of provisioning separate devices, high-security organizations can now configure Entra ID to let employees sign-in using their existing phone and their device-bound passkey. Users get a familiar phone interface, including biometrics or local lockscreen PIN or password, while their organizations meet strict security requirements because users can’t sync, share, or recover any device-bound passkey hosted in Microsoft Authenticator.
Organizations that use device-bound passkeys trade the benefit of large investments that vendors such as Google (see related article) and Apple (see related article) have made in creating high-security, self-service passkey recovery models for the benefit of meeting strict regulatory or security requirements. They become responsible for sharing and recovering device-bound passkeys, including those hosted in Microsoft Authenticator.
For detailed guidance on how to get started with device-bound passkeys hosted in Microsoft Authenticator, please refer to our documentation.
Microsoft’s commitment to passwordless authentication
Microsoft is continuing to enhance our support for passkey in products such as Entra, Windows, and Microsoft accounts. Please continue to send us feedback, so we can help you eliminate passwords from your environment forever.
Alex Weinert
VP Director of Identity Security, Microsoft
Learn more about Microsoft Entra:
- See recent Microsoft Entra blogs
- Dive into Microsoft Entra technical documentation
- Learn more at Azure Active Directory (Azure AD) rename to Microsoft Entra ID
- Join the conversation on the Microsoft Entra discussion space
- Learn more about Microsoft Security
Published on:
Learn more