Microsoft report reveals that 4000 password attacks are happening every second (i.e., more than 300 million per day). How terrific!? Amidst all these attacks, going passwordless becomes a stronger solution.
Ever imagined a world without passwords? Looks interesting, right? Thus, passwordless authentication is essential to prevent password attacks. Basically, there are four passwordless options integrated with Microsoft Entra ID (i.e., Windows Hello for Business, Microsoft Authenticator, FIDO2 security keys, and Certificate-based authentication).
When Microsoft introduced passwordless authentication methods, they saw a drastic change in customers who started adopting passwordless logins. In 2022, Microsoft introduced passkeys, a passwordless authentication method in partnership with the FIDO alliance, Apple, and Google.
Did you know how Microsoft 365 passkeys become phishing-resistant authentication methods and protect user identities? Let’s dive into its detail.
What are Passkeys in Microsoft 365?
Microsoft 365 passkeys is a passwordless, multi-factor, and phishing-resistant authentication method that uses private key and public key pairs to grant you secured access. It eliminates the usage of passwords and relies only on biometrics (Face ID or Fingerprint) or Device PIN. Passkeys can be synced across devices.
Once the device generates the pair of keys, the private key is stored in the device itself, and the public key will be registered with the respective website or application.
For example, in Windows, the private key is stored in Windows Hello.
Microsoft supports device-bound passkeys (i.e., passkeys stored on FIDO2 security keys and Windows Hello for Business). These passkeys won’t leave that device. However, Microsoft announced that beginning January 2024, MS Entra supports device-bound passkeys stored on computers and mobile devices as an authentication method in public preview.
How Microsoft 365 Passkeys Secure User Authentication?
Microsoft has seen nearly 6000 MFA fatigue attacks per day and approximately 10K password entries into malicious sites per month. This is truly devastating! To overcome these low-security authentication methods, passkeys are introduced. Passkeys are multi-factored by design, and they protect users from harmful phishing attacks.
When a passkey is created, it will be associated only with the trusted domain of the website that it is registered with.
For example, if a malicious actor tries to navigate the user to Con1oso.com instead of Contoso.com, a legitimate site. Users may inadvertently be redirected without noticing the site address properly. But passkeys will not process authentication as the site is different from the registered one.
This is how passkeys protect users from phishing attacks.
How to Configure Passkeys in Microsoft 365?
Let’s see how passkeys are configured with the Microsoft Authenticator app. Imagine an admin who enables passkey for users through authentication policy in Entra ID. Now, if a user is trying to sign in to their account, he/she follows the below steps to configure passkeys.
- Download the Microsoft Authenticator app to register for phishing-resistant authentication.
- Add the Microsoft Work or School account. Consider the admin has provided a Temporary Access Pass (TAP), and the user entered it to log in.
- Then, all the policies assigned to that user are analyzed, and if passkeys are enabled, the user will be redirected to the passkey creation process.
- The user needs to configure their Face recognition, Fingerprint, Device pin, or security key, and that’s it.
Then, the passkey will be successfully configured and stored.
How to Sign in With Microsoft 365 Passkeys?
Upon successful configuration of passkeys on your device, you will experience a more secure sign-in than before.
- Navigate to the Microsoft 365 login portal in a browser on a Windows device.
Enter your username and click Next. - Windows Hello will be prompted and ask for your biometrics (Face ID, Fingerprint, or Device PIN).
Once the biometrics are verified successfully, you will be able to log in to your account.
Points to Remeber:
Passkeys are supported only on the following devices and browsers.
Devices:
- Windows 10 and newer
- macOS Ventura and newer
- ChromeOS 109 and newer.
- iOS 16 and newer.
- Android 9 and newer.
- Hardware security keys that support FIDO2 protocol.
Browsers:
- Microsoft Edge 109 or newer.
- Safari 16 or newer.
- Chrome 109 or newer.
How Cross Device Authentication Works With Passkeys?
Do you believe that a passkey stored on one device is used to sign in on another device? Yes, users are protected from phishing attacks during cross-device authentication. Till now, we have seen how passkeys work when signing in on the same device in which it is stored (device-bound passkeys).
Now, consider your passkey is stored on your mobile, and you want to sign in on your desktop.
- To link these two devices together for authentication, a QR code is generated on the desktop to which you want to sign in.
- Once the user scans the QR code in the mobile device (which has a passkey stored), the authentication is prompted by asking for the user’s facial recognition, fingerprint, device pin, or security key.
- After the successful verification, the user can log in to their account on the desktop device.
Remember that during this process, a proximity check takes place to ensure that the passkey is used for authenticating only a linked device that’s nearby. Thus, users will be protected from phishing attacks efficiently.
Advantages of Using Passkeys in Microsoft 365
- Passkey is a FIDO2 credential that can be stored on various devices like security keys, computers, and mobile phones.
- Signing in with a passkey is simpler, faster, and more secure, as you don’t need to remember it.
- Passkeys don’t require other sign-in challenges to make the authentication process more convenient.
- As passkeys are unique to each website or application, it prevents their reuse and provides secure authentication.
- Passkeys supports cross-device and cross-platform authentication to prevent phishing attacks on devices other than the one in which it is stored.
- As passkeys use your biometric alone, it prevents password spray attack, MFA fatigue, and phishing attacks.
Demerits of Using Microsoft 365 Passkeys
- Some passkeys can sync across devices. These are backed up to consumer clouds, where there are only limited admin controls for governance.
- Users can share the synced passkeys with others. It might go into the wrong hands and affect organization security.
I hope this blog helps you understand how passkeys secure your tenant and why passwordless authentication is essential for every organization. Drop your queries in the comment section. Happy securing!
