Microsoft is set to enhance security for Windows devices by introducing phishing-resistant passwordless authentication through passkeys, seamlessly integrated with its enterprise identity platform, Microsoft Entra. This feature is expected to enter public preview between mid-March and late April 2026 for global tenants, while government cloud environments—including GCC, GCC High, and DoD—will receive the update from mid-April to mid-May.
The new functionality allows users to access Entra-protected resources using device-bound passkeys stored securely within Windows Hello. This innovative authentication method is specifically designed to combat phishing and credential theft, offering a more secure alternative to traditional passwords.
Expanding Passwordless Sign-Ins to More Windows Devices
According to Microsoft, this update significantly broadens the scope of passwordless authentication across Windows environments. Previously, organizations could only implement passwordless solutions on devices that were joined or registered with Entra, leaving unmanaged or personal devices reliant on conventional passwords. The introduction of passkey support effectively bridges this gap.
Users will now have the ability to create device-bound passkeys stored within the secure Windows Hello container, enabling authentication through various biometric or local verification methods, including:
- Facial recognition
- Fingerprint scanning
- A secure PIN tied to the device
With this change, employees can access corporate resources protected by Entra without the need to enter passwords, even when using shared or personal Windows machines that are not formally enrolled in the organization’s device management system.
“This update allows users to create device-bound passkeys stored in the Windows Hello container and authenticate using Windows Hello methods,” Microsoft stated in a message to administrators via the Microsoft 365 Message Center. “It also expands passwordless authentication to Windows devices that aren’t Entra-joined or registered, helping organizations strengthen security and reduce reliance on passwords.”
How Entra Passkeys Improve Security
At the core of passkeys is public-key cryptography, a robust security model designed to thwart the credential theft that often leads to account compromises. When a passkey is created:
- A private cryptographic key is generated and securely stored on the user’s device.
- A matching public key is registered with the service—in this case, Entra.
- During sign-in, the device demonstrates possession of the private key through a cryptographic challenge, eliminating the need to transmit a password.
Since the private key remains on the device, it is impervious to interception by phishing websites, network monitoring, or credential-stealing malware. Security experts increasingly regard passkeys as a significant advancement over passwords and even traditional multi-factor authentication (MFA) systems, which can be vulnerable to real-time attacks.
With passkeys, the authentication process is cryptographically linked to the legitimate website or service, effectively thwarting fraudulent login attempts.
Device-Bound Authentication
Microsoft’s implementation for Entra on Windows utilizes device-bound passkeys, meaning each passkey is uniquely associated with a specific device. Key characteristics include:
- Passkeys are stored locally in the Windows Hello secure container.
- They cannot be exported or synchronized between devices.
- Each Entra account must create a separate passkey for each device used.
Multiple Entra accounts can exist on a single Windows machine, each maintaining its own passkey. While this approach enhances security by limiting exposure in the event of device compromise, it also necessitates that users register passkeys individually across their devices, such as work laptops, home PCs, or shared workstations.
Administrative Setup for the Preview
Organizations eager to test the feature during the preview period must configure it through Entra’s authentication policies. Microsoft advises administrators to:
- Enable the Passkeys (FIDO2) authentication method in Entra authentication settings.
- Create a passkey profile specifying the appropriate Windows Hello AAGUIDs (Authenticator Attestation GUIDs).
- Assign the policy to selected user groups participating in the preview.
This configuration allows IT teams to gradually roll out passkeys within an organization before a company-wide implementation.
Part of Microsoft’s Larger Passwordless Strategy
This new capability represents a significant milestone in Microsoft’s ongoing initiative to eliminate passwords across its ecosystem. In May 2025, the company announced that all newly created Microsoft accounts would default to passwordless sign-ins, requiring users to authenticate through methods such as passkeys, biometric verification, or hardware security keys.
Previously, Microsoft had introduced passkey support for personal accounts in 2024, alongside updates to Windows 11 version 22H2, which included a built-in passkey manager integrated into Windows Hello. Microsoft Entra now plays a pivotal role in enterprise identity and access management across various cloud services, including:
- Microsoft 365
- Azure services
- Third-party SaaS applications integrated through identity federation
By embedding passkey authentication directly into Windows sign-ins, Microsoft aims to facilitate the adoption of phishing-resistant authentication methods across corporate environments.
Rising Pressure to Replace Passwords
This initiative comes in response to escalating cybersecurity concerns surrounding password-based authentication. Reports indicate that a significant number of enterprise breaches originate from stolen or compromised credentials, often acquired through phishing schemes or reused across multiple platforms.
Passkeys, supported by standards from the FIDO Alliance and the World Wide Web Consortium, are gaining traction among major technology firms. Companies such as Apple, Google, and Microsoft have all embraced passkey support in recent years as part of a collective effort to phase out passwords entirely.
Outlook
As organizations grapple with increasingly sophisticated phishing and credential-theft campaigns, Microsoft’s integration of passkeys into Windows sign-in workflows could expedite the enterprise transition to passwordless security models. If widely adopted, Entra passkeys may drastically diminish reliance on passwords within corporate settings, potentially closing one of the most persistent vulnerabilities in modern cybersecurity.
