On April 11, 2024, Microsoft has launched a public preview that allows the use of device-bound Passkeys for Microsoft 365 services / Microsoft Entra ID logins, which can be stored in the Microsoft Authenticator App. This development marks a significant step forward in the realm of secure authentication.

In this post, we’ll delve into Passkeys, understanding their benefits, prerequisites, and configuring them within Entra ID. Additionally, we’ll explore the user journey of generating and signing in with Passkeys.

1. What are passkeys and how do they work?
2. What are the advantages of passkeys over conventional passwords and other MFA methods?
3. What are the prerequisites?
   1. General prerequisites
   2. Android
   3. iOS
4. How do I configure Entra ID to support passkeys?
5. What does the user experience look like?
   1. Setup your Passkey with Microsoft Authenticator over iOS / User Experience
   2. Sign-In with your created Passkey to Microsoft 365 over IOS / User Experience
6. Conclusion

What are passkeys and how do they work?

Passkeys are a new way to log in to your online account without a password. It is a digital key that is unique to your account and device and can only be unlocked by your biometric data, such as your fingerprint or face scan. Passkeys are phishing-resistant because they are based on Fast Identity Online (FIDO) authentication, which is resistant to phishing and other forms of attacks such as credential stuffing.

A passkey consists of two parts:

1. A public key stored on the website’s server.
2. A private key stored on our device (such as a smartphone, tablet, or laptop).

The private key remains secure on the device, while the public key is used for authentication. When logging in, the service verifies if the public key corresponds to the private key. To confirm this, you’ll need to unlock the device using specified methods, like facial recognition.

What are the advantages of passkeys over conventional passwords and other MFA methods?

#1 No storage of passwords: No need to remember or enter complex passwords. As Passkeys are based on a key infrastructure, no passwords need to be stored. This reduces the risk of password theft and misuse.

#2 Phishing-resistant: Passkeys offer resistance against phishing attempts since you must always register for a particular service (URL) initially. For instance, in the case of Microsoft 365 / Entra ID, the designated URL is “login.microsoft.com”. If we encounter a phishing link and click on it, we won’t be prompted to log in with Passkeys because we haven’t registered a Passkey for that phishing link.

#3 No additional hardware needs to be carried along: The advantage of Passkeys over a physical FIDO2 key is that you don’t need an additional device to authenticate yourself. You can simply use your smartphone, tablet or laptop, which already has a biometric sensor.

#4 No additional costs: As the smartphone can be used to log in with passkeys, there are no additional costs for the purchase of FIDO2 hardware keys or other hardware tokens.

#5 Support from major technology companies: Major tech giants such as Apple, Google and Microsoft already support Passkeys, which promises broad acceptance.

What are the prerequisites?

To activate Passkeys in Microsoft 365 / Microsoft Entra successfully through the Microsoft Authenticator app, you must fulfill the following requirements:

General prerequisites

• Microsoft Entra multifactor authentication (MFA):
  Your target users need to have Microsoft multi-factor authentication already activated.
• Devices that support passkey (FIDO2) authentication:
  Passkeys are supported across major scenarios on Windows, macOS, Android, and iOS.
• Turn on Bluetooth: To sign in to another device (cross-device sign-in) using a passkey your smartphone and device needs to have Bluetooth turned on.
• Before proceeding, ensure to identify and include your current AAGUIDs if you’re already utilizing FIDO2 security keys. Otherwise you will lose access to the FIDO2 security keys you have already set up.

Android

• Android version 14 or later.
• Latest Microsoft Authenticator version for Android (6.2404.2229 or later).
• Enable Authenticator app as an “additional provider” in Settings > Passwords and accounts.

iOS

• iOS version 17 or later.
• Latest Microsoft Authenticator version for iOS (6.8.7 or later).
• Enable “AutoFill Passwords and Passkeys” and use Passwords and Passkeys from “Authenticator” in Settings > Passwords > Password Options.

How do I configure Entra ID to support passkeys?

1. Sign in to the Microsoft Entra admin center as at least an Authentication Policy Administrator.
2. Browse to Protection > Authentication methods > Authentication method policy.
3. Under the method FIDO2 security key, select All users or Add groups to select specific groups. 
4. Save the configuration.
5. Select the Configure tab:

Setting	Configuration	Description
GENERAL
Allow self-service set up	Yes (Enabled)	“Allow self-service set up” must be enabled and set to “Yes”. If set to no, your users can’t register a passkey through MySecurityInfo, even if enabled by Authentication Methods policy.
Enforce attestation	No (Disabled)	“Enforce attestation” can be used to ensure that a FIDO2 security key model or passkey provider is genuine and comes from a reputable provider. For passkeys in Microsoft Authenticator, the attestation is currently not yet supported in the public preview. Attestation support is planned for General Availability. Therefore, “Enforce attestation” must currently be set to “No” (Disabled).
KEY RESTRICTION POLICY
Enforce key restrictions	Yes (Enabled)	The “Enforce key restrictions” setting is used to allow or block only certain security key models or passkey providers.
Restrict specific keys	Allow	Define if you want to allow or block specific keys.
Add AAGUID	Add all existing FIDO2 keys and the AAGUIDS for Android and iOS. Authenticator for Android: de1e552d-db1d-4423-a619-566b625cdc84 Authenticator for iOS: 90a3ccdf-635c-4729-a248-9b709135078f	All permitted AADGUIDs can now be added here. If FIDO2 keys are already being used, it is important that all existing keys are also added here.

What does the user experience look like?

Setup your Passkey with Microsoft Authenticator over iOS / User Experience

The demo video below demonstrates the process of setting up a passkey on iOS for the Microsoft Authenticator app, assuming the prerequisites and Entra ID setup mentioned earlier are in place.

Sign-In with your created Passkey to Microsoft 365 over IOS / User Experience

The demo video that follows illustrates the procedure for signing into Microsoft 365 services using the passkey you’ve established.

Conclusion

The implementation and use of passkeys in the public preview test demonstrated a seamless and straightforward process. The configuration was as simple as setting up the Authentication App with Push Notification. The subsequent sign-in process, which involves scanning a QR code and confirming the passkey, was also very user-friendly.

However, it’s important to note that it may take some time for all providers and services to transition to Passkeys. Despite this, Passkeys undoubtedly represent the future of secure and user-friendly authentication methods for Microsoft 365 / Entra ID services.

Given their current status as one of the most secure and user-friendly authentication methods, it is essential to conduct initial testing to prepare users for this transition and provide the necessary training. This proactive approach will ensure a smooth transition when the time comes for a full move to Passkeys.

Now I would be interested in your experience with Passkeys? Did the first tests work properly for you? Feel free to ask me questions or share your personal experiences in the comments.