2024 is approaching fast with a ton of new features on the horizon, and one of my most anticipated features in Entra ID should arrive already in January 2024: Support for passkeys in Entra ID.

What is a passkey?

A passkey is a token which is stored on a device and never leaves the device it is created on, with the purpose of replacing the use of passwords. The passkey works as an asymmetric cryptography key, with the private key stored securely on the device and the public key is used to authenticate a login request. The login will require that the person “toggles” the private key, i.e. confirms his identity with either a PIN or biometric (facial ID/fingerprint).

Example of a FIDO2 key, screengrab from Yubico.

It is very similar to and works almost identical as a FIDO2 USB-key (like on the screenshot above), but a passkey is software-based while the FIDO2 key is a physical device inserted into a USB port. A passkey is bound to a specific device AND requires PIN/biometric, so unlike passwords, passkeys can’t be simply guessed/hacked and then reused by an attacker at his/her leisure. You must have both the physical device where the passkey is stored and the PIN or biometric (where obviously biometric is far more secure than a PIN).

Simple demo of passkeys

Passkeys isn’t a new technology and is already supported by all major OS’es and web-browsers. So since I can’t demo passkeys in Entra ID yet, I can demonstrate it using github.com.

• I’m currently on a deice with a passkey for github.com already set up
• So opening my browser and navigating to github.com, I have the option to simply select to log in with a passkey.

• The passkey on my device is found and I’m asked if I want to use it.
• If I try using this method on another device, it passkey won’t exist and the login attempt will fail, suggesting another login method.

• I click “Continue” and as mentioned in the screenshot above, it will use Windows Hello to verify my identity, in this case facial ID with my webcam

• Then I just select “Continue” and I’m logged in.

NOTE: This demo is for github.com and we currently don’t know how similar this experience will be with what comes with passkeys in Entra ID, but it should be close enough to give you an idea on how it works for the end-user.

Passkeys in Entra ID

So, coming January 2024, Entra ID will be updated with the possibility to set up passkeys. Under Authentication methods –> Policies –> FIDO2

Here a new tab will appear to set up Passkeys for your users.

This will hopefully have a huge potential to move more users over to a password-free environment, and nothing would please me more if this happens. There are still a lot of details missing around this implementation and I’m particularly curious on how Microsoft solves the task of deploying and setting up passkeys for end users. But if they come up with a good way to deploy it, this has an amazing potential without the need of buying large amounts of physical FIDO2 keys which can be easily lost. A specific use-case in my mind is elementary school where kids as young as 6 years may have an Entra ID account which should be secured. Perhaps this will solve this challenge, perhaps not.

Until next time, take care