Microsoft brings passkeys to Windows via Entra

Microsoft continues its shift toward passwordless authentication by introducing passkey support for Microsoft Entra on Windows devices.

Microsoft Entra is a cloud-based identity and access management platform, formerly known as Azure AD, used to control access to corporate and cloud services.

⚙️ How it works

Authentication is performed through Windows Hello, which acts as a local identity verification factor.

During registration, a cryptographic key pair is generated using the FIDO2 standard. The private key is stored on the device in secure hardware, such as a Trusted Platform Module (TPM), while the public key is sent to the service.

When signing in, the user confirms their identity via Windows Hello using facial recognition, a fingerprint, or a PIN. The system then unlocks the private key locally, which is used to cryptographically sign the authentication request. The key itself is never transmitted.

❓ Why Microsoft is moving away from passwords

Attackers can steal passwords through phishing and data breaches and reuse them across different services.

Passkeys address this by binding credentials to a specific device, validating the domain, and eliminating shared secrets. This makes them resistant to AiTM attacks and most modern account compromise techniques. Even if an attacker intercepts traffic, they cannot reproduce the authentication without access to the user's device and biometric verification.

💬 Discuss