Microsoft has announced that Microsoft Authenticator will support passkeys natively starting in mid-January 2025, marking a significant advancement in phishing-resistant authentication methods. The implementation builds on Microsoft’s broader push toward passwordless authentication solutions.
Passkeys replace traditional passwords with cryptographic key pairs – a public key stored by the service and a private key secured on the user’s device. When logging in, the device uses biometric data or a PIN to unlock the private key for verification without transmitting sensitive credentials over the internet.
According to Microsoft’s documentation, the latest public preview refresh includes several key enhancements. Administrators can now require attestation during passkey registration, and Android native apps support passkey sign-in through the Authenticator. The registration process has been streamlined with an improved wizard that guides users through prerequisites.
Beginning with version 6.2408.5807, Microsoft Authenticator for Android now complies with Federal Information Processing Standard (FIPS) 140-3 for all Microsoft Entra authentications. This includes phishing-resistant device-bound passkeys, push multi-factor authentication, passwordless phone sign-in, and time-based one-time passcodes.
Lukas Beran, a Microsoft cybersecurity consultant, clarified that once general availability is reached in January, “passkeys will become a fully functional phishing-resistant authentication option equivalent to physical keys.” Organizations preferring not to enable passkey support can implement key restrictions through the passkey (FIDO2) policy.
Dave Taku, head of product management at RSA, noted that the announcement “suggests CISOs who are not ready to support passkeys by mid-January will need to actively manage settings to avoid potential security issues.” Organizations must either prepare their infrastructure for passkey support or implement restrictions to block passkey authentication.
The implementation aligns with industry standards, including the FIDO Alliance’s specifications for secure credential exchange. Microsoft has been gradually expanding its passwordless authentication options, with Windows Hello biometric authentication and FIDO2 security key support already available.
Sources: Microsoft Tech Community, RSA Blog
—
November 6, 2024 – by Cass Kennedy
Follow Us