In this article we will discover what are passkey in Microsoft Entra ID, why they matter and what to know before adopting them.
For years, we tried to fix passwords: complexity rules, rotation policies, MFA, smart lockout, “almost passwordless” experiences. And yet, passwords are still the weakest link in identity security.
Passkeys are not an evolution of passwords, they are a fundamental change in the authentication model.
Why passwords are no longer defensible
Even when combined with MFA, passwords remain the weakest part of the authentication process. They are phishable, often reused, vulnerable to malaware and token theft, and also a burden for helpdesks.
Passkeys are designed to remove shared secrets entirely.
What passkeys are
Passkeys help prevent remote phishing by replacing phishable methods like passwords, SMS, and email codes. A Passkey is built on FIDO (Fast Identity Online) standards, passkeys use origin-bound public key cryptography, ensuring credentials can’t be replayed or shared with malicious actors.
Passkeys provide strong authentication and can serve as a multifactor authentication (MFA) method when combined with device biometrics or PIN. They also provide verifier impersonation resistance ensuring that secrets are only released to the Relying Party (RP) the passkey was registered with.
Types of Passkeys
- Device-bound passkeys: The private key is created and stored on a single physical device and never leaves it. This type of passkeys are stored in apps like Microsoft Authenticator or FIDO2 Security keys
- Synced passkeys: The private key is stored in a passkey provider’s cloud (Google authenticator etc.) and synced across devices.
Synced passkeys cannot be used for attestation. Attestation verifies the authenticity of the passkey provider or device during registration, it’s used to verify the device provenance.
How it works
- A device generates a key pair, public and private
- The private key stays on the device and never leaves it
- The public key is sent and registered in Microsoft Entra ID
- Authentication happens by signing a challenge
There is nothing to steal, nothing to reuse, and nothing to intercept.
To see how it works in details wait for my next article 😉
Why implement passkeys
Passwords fail for structural reasons, not because users behave badly. Even with training and MFA, passwords are phishable, reusable, shareable or stealable.
Attackers don’t need to break encryption, they just trick users into giving secrets away.
Passkeys eliminate this entire class of attacks because there is no secret to steal and nothing the user can be tricked into typing.
This is why passkeys are being adopted across the industry:
they remove the attack surface, instead of trying to protect it.
Phishing resistant by design
A passkey is bound to a specific domain, service and application context. If a user land to a fake login page the browser won’t present the passkey so the authentication challeg will fail so the attack.
Choose the right passkey type
FIDO2 security keys are recommended for highly regulated industries or for users with elevated privileges. They provide strong security, but can increase costs for equipment. Another option for these type of passkeys is to use the Microsoft Authenticator app.
Synced passkeys can be a convenient and low-cost alternative for users outside highly regulated environments. Apple and Google have implemented advanced protections for passkeys stored in their clouds.
You can also combine both types of passkeys in your environment, using FIDO2 or Microsoft Authenticator app for users with access to sensitive data or with elevated privileges and synced passkeys for regular users.
Final thoughts
passkey in Microsoft Entra ID are not an additional authentication option. They are a replacement for passwords.
They remove the weakest link in identity security by design, not by policy.
Organizations that adopt passkeys gain stronger security and better user experience.
For more details see Microsoft documentation about Passkeys
