Microsoft will make passkey authentication availlable to organisations using Entra ID, and who have users that sign in from Windows devices, starting with a public preview this month.
This includes managed, personal, and shared PCs, Microsoft said.
Passkeys are a phishing-resistant authentication credential that replace passwords by using public key cryptography tied to a specific device or platform.
When a user registers a passkey with a service, the device generates a cryptographic key pair: the public key is stored on the server, while the private key never leaves the device and is protected by the device’s secure enclave.
To authenticate, the user verifies their identity locally using a biometric such as a fingerprint or face scan, or PIN, and the device signs a challenge from the server using the private key, which the server then verifies against the stored public key.
In this case, it would be using Windows Hello facial recognition, fingerprint scanning, or a PIN to authenticate.
Because no shared secret is transmitted or stored server-side, passkeys are immune to credential stuffing, password spraying, and phishing attacks that intercept or steal passwords, and they underpin the industry FIDO2/WebAuthn standard, that is considered very secure.
Administrators can enable Entra passkeys for the public preview by through Authentication Methods policies, if they wish to participate in the pilot.
The authentication method will enter public preview mid-March, lasting until late April this year.
Worldwide general availability is scheduled after that date.
