Passkeys for Entra ID is still in development and has undergone some important changes since it entered public preview in April 2024. So I thought it was about time to do another breakdown of the changes since my last post in June.

Changes to phone settings (Android)

Now you no longer have to set Microsoft Authenticator as the default provider of passwords, passkeys and auto-fill on Android. This is a change I highly appreciate, because this means I can finally use auto-fill with my favorite password manager. Previously you had to select Microsoft Authenticator as the default provider in order to use passkeys, and that setting removed the ability for any other password manager to provide auto-fill of usernames, passwords etc. But, this change does however come with a cost for the end-user experience.

This is very important to keep in mind: When an end-user wants is setting up a new passkey, their phone will automatically suggest the default password provider. However the user has the option to select a different location to store the passkey. It’s crucial for the end-user to select the Microsoft Authenticator mobile app during this step. Choosing any other localtion will result in the passkey registration failing.

Above: Here Samsung Pass is the default provider for Passwords and passkeys, so the phone will suggest to store the passkey there. This will fail, so the end-user must first select “Save another way“.

Above: The end-user must then select Microsoft Authenticator app for the passkey.

Above: The end-user must then verify that the Microsoft Authenticator is selected, and can then proceed by taping “Create“.

Changes to the Authenticator mobile app

The mobile app also has a couple of changes.

When you open a passkey in the app, it clearly states the passkey is stored on this device only with a cloud symbol next to it, so perhaps passkeys will be transferable in the future? We also see the domain, which the passkey is bound to (Public key is domain-bound remember?).

There is also a QR code located on the bottom-right corner. This allows you to log in by scanning a QR code on the Entra ID login screen. Simply select “iPhone, iPad or Android device” to display the QR code. (Picture below) I think the primary use case for this feature is when you have the passkey stored in your authenticator app, and want to use it to logon a new device for the first time.

Still no support for storing passkeys directly on the device… or?

I’ve noticed that the roadmap Feature ID 182056 was updated late July, and I’m not sure this wording was there from before or not. Anyway, this can be interpreted as what I’ve been requested, loudly and clearly, for months now: My biggest criticism of Passkeys for Entra ID is the requirement to store the passkeys in the Authenticator mobile app on either Android or iOS, and this has some very serious consequences. I wrote about it in length in my previous post about passkeys so I won’t go through all of it again here.

Fingers crossed that this means we can store the passkey directly on our local device like our Windows 11 client for example.🤞

Conclusion August 2024

Passkey is without any doubt an amazing tool to bolster your identity security. It’s much safer than traditional password+number matching in the Authenticator app, and it is becoming more and more user friendly. I’ve said it before and I’ll say it again: Start testing this feature, it IS a big deal!

Passkeys for Entra ID is still in preview so expect more changes to come, but that is not an argument to sleep on this. My biggest drawback is still the lack of storing passkeys on the local device itself, but the updated roadmap with its wording, makes me cautiously optimistic.

Have you started to test out passkeys in Entra ID? If you haven’t yet, I strongly recommend that you do.

Thank you for reading!