For years, passwords have served as the primary gatekeeper to our digital lives. However, their inherent vulnerabilities – susceptibility to phishing attacks, data breaches, and user negligence – have become increasingly evident. Enter Passkeys, a game-changing innovation poised to revolutionize login security and user convenience.

“Based on FIDO standards, passkeys are a replacement for passwords that provide faster, easier, and more secure sign-ins to websites and apps across a user’s devices. Unlike passwords, passkeys are always strong and phishing-resistant.​
Passkeys simplify account registration for apps and websites, are easy to use, work across most of a user’s devices, and even work on other devices within physical proximity.​” FIDO2 Alliance

Passkeys mark a significant departure from the traditional password paradigm. Instead of relying on memorizable strings, they leverage cryptography and biometrics to create unique, tamper-proof keys for each website or application. This eliminates the need for password managers, reduces the attack surface for phishing scams, and minimizes the risk of credential stuffing attacks.

Beyond enhanced security, Passkeys offer compelling benefits for both IT professionals and users:

For IT Professionals:

• Reduced Costs: Eliminate the need for purchasing and managing physical FIDO2 keys, streamlining device provisioning and user onboarding.
• Simplified Administration: Leverage Entra ID (Azure AD) for centralized management and deployment of Passkeys across your organization.
• Enhanced Security Posture: Eliminate password-related vulnerabilities and leverage multi-factor authentication (MFA) capabilities within Windows Hello for Business (WHfB) for even greater protection.

For Users:

• Unmatched Convenience: Seamlessly access applications across devices with biometric authentication or a PIN, eliminating the need for remembering and typing complex passwords.
• Improved Productivity: Reduce time spent managing passwords, allowing users to focus on more productive tasks.
• Mobile Device Support: Enjoy seamless Passkey authentication on Android and iOS devices, empowering your mobile workforce.

While concerns regarding the security of Passkeys compared to non-exportable physical FIDO2 security keys might arise, it’s crucial to understand that the private key in the passkey never leaves your device (in theory). They are heavily encrypted both in storage and during transmission, and WHfB adds an additional layer of protection through its advanced MFA capabilities.

Microsoft’s commitment to continuous security updates and improvements further mitigates concerns, ensuring your data remains secure. Additionally, Passkeys address the long-standing challenge of integrating mobile phones with physical FIDO2 keys, offering a seamless and secure login experience for your mobile workforce.

In conclusion, Microsoft support for Passkeys represent a significant leap forward in login security and user convenience. By eliminating password-related vulnerabilities, streamlining device management, and enhancing user experience, Passkeys pave the way for a more secure and productive work environment.

For organizations that have not rolled out physical FIDO2 keys to all end users, my advice would be to wait until passkeys become more supported in the very near future. However, I would not wait to provide physical FIDO2 security keys to Privileged IT Administrators, who can use them now to protect themselves against phishing, especially when combined with Authentication Strengths in Conditional Access Policies.

Windows 11 Support

Instead of using a username and password to access a website or application, Windows 11 users will be able to use and protect passkeys using Windows Hello or Windows Hello for Business, or their phone. This will allow users to access the site or app using their face, fingerprint, or device PIN. Passkeys on Windows 11 will work on multiple browsers including Microsoft Edge, Google Chrome, Firefox, and others. Setting up a passkey in Windows is accomplished by:

• The website or application owner creates a passkey and offers it to you as a sign-in option instead of your password—website and app owners will need to develop their own passkeys infrastructure on their sign-in experience.
• Once you create the passkey on your device, the next time you sign in to that website or app from your device it will recognize that you have its passkey, and you can use it instead of a password. If you are using Windows Hello or Windows Hello for Business, you will be able to use your face, PIN, or fingerprint to sign in more easily. In addition, you can now use a passkey from your phone or tablet to complete the sign-in process.
• Users will have a management dashboard through Settings –> Accounts –> Passkeys to see and manage passkeys on their Windows 11 device.

Reference: https://www.microsoft.com/en-us/security/blog/2023/09/26/new-security-features-in-windows-11-protect-users-and-empower-it/