Microsoft Entra Passkeys: Use Passkeys For Employees

1. Passkey Rollout Starts with Device-Bound Passkeys

Microsoft as one of the core members of the FIDO Alliance is ushering in a new era with its introduction of device-bound passkeys in Microsoft Entra, formerly called Azure Active Directory (AD). This move signifies the general industry shift (e.g. Coinbase, Uber, Adobe) towards passkeys as a more secure, user-friendly authentication method. With this move the friction that other, traditional MFA methods can cause in business scenarios could be overcome by making use of passkeys user-friendly login process.

Before we dive into Microsoft Entras specific passkey implementation and analysis, lets have a brief look at the different types of passkeys.

1.1 What Are Device-Bound Passkeys?

Device-bound passkeys, previously known as single-device passkeys, are FIDO2 discoverable credentials tied exclusively to a single authenticator / device. This authenticator / device could be integrated directly into devices running Windows 10 or Windows 11 (Windows Hello), macOS (Touch ID), iOS (Touch ID or Face ID), or Android (using the respective Android biometric solution of the device manufacturer). The essence of these passkeys is their binding to the authenticator / device, bolstering security by ensuring the private key of the passkeys key-pair never leaves this device. However, recovery becomes much more complex, as there is no backup and most often you need a second authenticator / device that holds another device-bound passkey to regain access if the first authenticator / device is lost, stolen or broken.

1.2 What About Synced Passkeys at Microsoft?

While Microsoft has not officially announced support for synced (multi-device) passkeys, the anticipation is huge within the tech and passkeys community. The support of synced passkeys in Windows would mark a significant step in broadening the accessibility and convenience of passkey technology to the general public. Especially non-technical people could benefit greatly from synced-passkeys due to simpler recovery. Since Windows holds a the majority share of operating systems (though declining by loosing market share to macOS on desktop devices in some regions), it would be last puzzle piece to make passkeys the reality for billions of consumers and businesses alike.

1.3 Enforcing Physical Security Keys

Within Microsoft Entra, IT administrators have the option to enforce the use of hardware security keys (e.g. YubiKeys). Hardware security keys also adhere to FIDO2 protocols but are not bound to one platform but can be used across platforms (thats why they are called roaming or cross- platform authenticators). Alternatively, users will default to storing their passkeys directly on their devices using the built-in platform authenticators (e.g. Windows Hello, Face ID, Touch ID). Microsoft Entra offers the flexibility to manage this through settings, including the ability to whitelist or blacklist specific types of passkeys based on the AAGUID, which indicates the authenticator / device a passkey was created on. This allows administrator to restrict the usage of passkeys to only company managed devices.

1.4 Microsoft Entra Passkey Rollout Timeline

Starting January 2024, Microsoft Entra ID will preview device-bound passkeys as an authentication method, complementing existing support for hardware security keys (e.g YubiKeys). This phased approach reflects Microsoft's cautious yet progressive strategy in rolling out new security features to a large audience.

Microsoft Entra Passkey Configuration

2. Transitioning from FIDO2 Security Keys to Passkeys

In accordance with this new strategic direction, the admin portal of Microsoft Entra is undergoing a transformation, rebranding "FIDO2 security keys" as "Passkeys (FIDO2)". This rebranding signifies more than just a change in name; it represents a broader alignment towards establishing passkeys as the new standard for login authentication across various platforms, devices, operating systems, and web browsers.

This latest development from Microsoft not only extends support to iOS and iPadOS for Microsoft 365 but also encompasses a wide range of Microsoft's own first-party applications and any other applications safeguarded with Entra ID. Initially, Microsoft introduced passkey support for Safari in July 2023, which was a significant enhancement. However, the majority of customers were eagerly anticipating support for native apps. Now, with Microsoft's latest announcement, users can enjoy a comprehensive experience on their mobile devices, enabling them to sign in to both web applications and native apps using a YubiKey.

3. Enhancing the End-User Experience

Its obvious that Microsoft prioritizes user experience in the transition to passkeys. This means that end-users will notice changes in both sign-up and login processes.

3.1 Entra Passkey Sign-Up Experience

The "My Security Info" portal will introduce a new option labeled "Passkey (preview)" for registering device-bound passkeys on various devices. This option is set to replace the existing security key sign-up by the end of 2024.

3.2 Entra Passkey Login Experience

The login interface will be updated to reflect this change. Today there are phrases like

• Sign in with Windows Hello or security key
• Sign in with a security key
• Signing in with Windows Hello or security key

These will evolve to phrases like

• Face, fingerprint, PIN, or security key
• Signing in with a passkey

In the enhanced sign-in experience, the term passkey will be used to encompass passkey credentials from security keys, computers, and mobile devices, promoting inclusivity.

4. Strategy Behind Microsoft Entra's Passkey Integration

Microsofts careful rollout of passkey support in Entra is a calculated move. Following the adoption of passkeys by its subsidiaries like Microsoft 365, LinkedIn, and GitHub, this integration marks the next significant step. The game-changer will be the eventual introduction of passkey synchronization via Microsoft cloud accounts, enhancing user experience and backup security. A specific date for this cloud account synchronization has not been announced yet.

Another key consideration is the compatibility of passkeys with different Windows versions. While Windows 11 23H2 has improved passkey capabilities, including a new passkey management UI, questions remain about older versions like Windows 10 (21H2) and their support for discoverable credentials. A potential strategy could be backporting to ensure broader support.

5. Update May 2024: Preview for Microsoft Entra Passkeys has been released

In May 2024, Microsoft finally released the preview update for Microsoft Entra, introducing the capability to use the Microsoft Authenticator app on Android & iOS as passkey-provider for device-bound passkeys.

The rationale behind this implementation is tailored specificly to working and enterprise environments. In these managed settings, the priority is to ensure that the passkey remains secure and bound to the device. Synced passkeys, while convenient, pose a higher risk in such environments due to the potential for broader access. By utilizing the Microsoft Authenticator app as a passkey manager, the private keys are securely stored within the app, ensuring that they are removed upon reinstallation, thus maintaining a high level of security.

This strategic choice reflects Microsoft's commitment to providing robust security solutions tailored to the needs of enterprise users, balancing the benefits of modern passkey technology with the stringent security requirements of managed environments. Microsoft has released detailed instructions how to proceed to use passkeys with:

• How to activate Passkeys for Entra?: To activate passkeys in Microsoft Entra, sign in to the Entra admin center as an Authentication Policy Administrator. Go to Protection > Authentication methods > Authentication method policy. Under FIDO2 security key, select all users or specific groups. Allow self-service setup, disable attestation enforcement, and enable key restrictions. Add the Authenticator app AAGUIDs for Android (de1e552d-db1d-4423-a619-566b625cdc84) and iOS (90a3ccdf-635c-4729-a248-9b709135078f). Save the changes. A detailed step-by-step guide can be found here and describes the configuration until its done:

• How to configuring an iOS or Android device for Entra Passkeys?
  • For iOS: Open the Authenticator app, add a work or school account, sign in, complete MFA, and enable Authenticator as a passkey provider in the device settings. Third-party passkey-provider are only supported with iOS17 and above.
  • For Android: Open the Authenticator app, add a work or school account, sign in, complete MFA, and follow the on-screen prompts to enable passkeys. Third-party passkey-provider are only supported with Android 14 and above.
  • A detailed step-by-step guide can be found here.

Overall, the implementation is straightforward within the concept of a closed device system. We expect that in the future, when the passkey ecosystem itself supports implementing the device-bound keys (e.g. supplementalPubKeys), the implementation might change. Another possibility would be to leverage attestation that is available for managed iOS devices via enterprise attestation.

6. Conclusion

Microsoft's integration of passkeys into Microsoft Entra represents a forward- thinking approach to digital security. By focusing on device-bound passkeys and preparing for future enhancements like synced passkeys, Microsoft is not only enhancing security but also user convenience. This careful rollout reflects a deep understanding of customer concerns and a commitment to gradual, secure technological evolution.

Microsoft is in a unique position within the passkey market. It serves a significant portion of the desktop market in both consumer and enterprise environments, with significant legacy installations. Therefore, Microsoft is forced to move slowly, respecting the wishes of large established enterprises. Apple and Android can move faster, as their user base is used to much faster update cycles, and their operating systems have been designed for the cloud era. We are excited to see when Microsoft will bring synced passkeys to Windows Hello closing the last gap.

If you want to stay updated about more passkey announcements in Microsoft Entra or other tools, feel free to join our passkeys community on Slack or subscribe to our passkeys Substack.