Microsoft is now offering consumers the ability to log into Microsoft services with passkeys. With this, the company wants to offer an alternative to using vulnerable passwords and MFA, which can be bypassed.
Microsoft has been working for several years to find a (more secure) alternative to password login to its services or environments. For example, it introduced facial recognition called Windows Hello for logging into Windows 10 in 2015.
In recent years, Microsoft has continued to adapt passwordless technology to new FIDO standards. It also promised to join Google and Apple in moving to FIDO Alliance passkeys by 2022. Google already made logging in with passkeys the default login method last year. By now, 16 percent of Google accounts use it.
Read more: Google hints at breakthrough for LLMs with Infini-attention
Logging in with passkeys
Microsoft’s move has now resulted in its own customers being able to use passkeys effective immediately. So logging into Microsoft 365 apps, as well as Copilot, for example, can now be done via passkeys. The same functionality for Microsoft’s mobile applications will become available in the coming weeks.
If consumers want to log in with passkeys, they can ask administrators to modify their Microsoft Entra ID (formerly Microsoft Active Directory) to do so. That supports functionality for passkeys hosted on a hardware security key or in the Microsoft Authenticator app.
Keypair needed for decryption
Passkeys are seen as the future of passwordless login. Passkeys use two unique keys; a cryptographic “key pair”. One key (private key) is stored on the device and is monitored via biometric identification or a PIN.
The other key (a public key) remains in the particular app or website logged into with a passkey. Both components are needed to log in.
Passkeys are also known as phishing-resistant because the combination is only valid for logging into a website or app for which it was specifically created. Logging into malicious websites is therefore not possible.
Read also: What are Passkeys? Removing the human element from authentication