Microsoft is making strides towards a more secure digital landscape by enhancing the sign-in process for Microsoft Entra on Windows devices. The tech giant is introducing support for passkeys that integrate seamlessly with Windows Hello, a move aimed at diminishing the reliance on traditional passwords.
As reported by BleepingComputer, this new functionality is designed to provide a login method that significantly bolsters resistance against phishing attacks. The rollout of this feature is set to commence as an optional public preview between mid-March and the end of April 2026 for organizations around the globe. Following this initial phase, government cloud environments—including GCC, GCC High, and the U.S. Department of Defense—will have their own preview period from mid-April to mid-May. It is important to note that administrators will need to activate this functionality before it becomes available to users.
With the introduction of passkeys, employees will be able to access Entra-secured services using Windows Hello. This innovative approach allows for authentication through biometric recognition methods, such as fingerprint or facial recognition, or even a simple PIN code. The corresponding cryptographic key is securely stored locally on the device within Windows Hello’s protected environment.
Microsoft asserts that this method provides enhanced protection against phishing and various forms of account abuse. Since the cryptographic key associated with a passkey remains on the device, it is safeguarded from interception by fraudulent websites or malware designed to capture login details.
Passkeys also work outside Entra-managed systems
A notable advancement in this implementation is that the passkey method operates on Windows systems that are not linked to or registered with Entra. This flexibility enables employees to access company resources without the need for a password, even on personal or shared devices. For organizations that frequently engage with external devices or embrace bring-your-own-device policies, this represents a significant leap towards achieving a fully passwordless environment.
Each Entra account generates a unique passkey per device, allowing multiple accounts to coexist on a single system while ensuring that the keys remain tied to the specific device where they were created. However, synchronization between devices is not supported, meaning users will need to re-register on each new system they utilize.
To activate this functionality, administrators must enable the FIDO2 passkey method within Entra’s authentication policy. Subsequently, a passkey profile linked to Windows Hello can be established and assigned to users or groups within the organization.
This initiative is part of Microsoft’s broader vision to gradually eliminate passwords. The company has previously announced that new Microsoft accounts will be created without passwords by default. Through these efforts, Microsoft aims to provide organizations with stronger defenses against phishing, brute-force attacks, and widespread abuse stemming from compromised login credentials.
