Microsoft rolls out passkey auth for personal Microsoft accounts
Microsoft announced that Windows users can now log into their Microsoft consumer accounts using a passkey, allowing users to authenticate using password-less methods such as Windows Hello, FIDO2 security keys, biometric data (facial scans or fingerprints), or device PINs.
Microsoft "consumer accounts" refer to personal accounts for accessing Microsoft services and products such as Windows, Office, 365, Outlook, One Drive, Copilot, and Xbox Live.
Microsoft announced the new support for passkeys as part of World Password Day to increase security against phishing attacks, aiming to eliminate passwords altogether in the future.
Microsoft had already added passkey support to Windows for logging into websites and applications, but with the additional support for Microsoft accounts, consumers can now easily log in without entering a password.
Passkeys vs passwords
Passkeys are a form of password-less authentication that utilizes a cryptographic key pair where the public key is stored on the service provider's server, and the private key is stored securely on the user's device.
During authentication attempts, a challenge is created that requires the private key to solve and confirm the user's identity. As the private key is guarded by device-level security mechanisms like biometrics or a PIN, all the user has to do is provide that data to log in.
Because passkeys do not involve sharing a secret like a password that can be intercepted or stolen and are typically tied to a particular device, they are inherently resistant to phishing.
Moreover, they eliminate the need for users to remember and enter passwords, which often leads to risky practices such as password recycling or using weak passwords.
Finally, passkeys are compatible with different devices and operating systems, making the authentication process frictionless.
One thing to note is that Microsoft syncs your passkeys with your other devices rather than only storing distinct passkeys on each device. This isn't the most secure method, as if an attacker gains access to your account, the passkeys would then be synced to their device.
In practical terms, right now an attacker can get passkeys synced to a new device under their control and abuse them if they can (1) authenticate to the user's account via ordinary phishing and (2) get the user to turn over the PIN/passcode to a device that already has passkeys.
— Brian in Pittsburgh (@arekfurt) May 2, 2024
Microsoft says it's doing this for reasons of convenience, allowing people to maintain access to their accounts when upgrading or losing their devices.
How to enable passkey support
To use passkeys for Microsoft accounts, you first need to create one by following this link and choosing the first option (Face, fingerprint, PIN, or security key).
Next, follow the instructions on your device to finalize the creation of a new passkey.
Currently supported platforms include:
- Windows 10 and newer
- macOS Ventura and newer
- Safari 16 or newer
- ChromeOS, Chrome, Microsoft Edge 109, and newer
- iOS 16 and newer
- Android 9 and newer
When signing in to your Microsoft account, select "Other ways to sign in," select "Face, Fingerprint, PIN, or security key," then select the Passkey you saved earlier from the list.
Your device will open a security window that handles the authentication process using the desired method.
Comments