Microsoft is set to enhance its security offerings by introducing passkey support for phishing-resistant passwordless authentication on Microsoft Entra-protected resources. This rollout will commence from late April, with a broader availability anticipated by mid-June 2026. Notably, this feature will extend passwordless sign-in capabilities to unmanaged Windows devices, marking a significant step forward in user authentication.
Details of the New Feature
The Entra passkeys will cater to a variety of devices, including corporate, personal, and shared options. Administrators will have the ability to manage these through Conditional Access and Authentication Methods policies. According to Microsoft, users will be able to create device-bound passkeys that are securely stored within the Windows Hello container. Authentication can be achieved using various Windows Hello methods, such as facial recognition, fingerprint scanning, or a PIN.
This initiative aims to bolster security across devices that are not Microsoft Entra-joined or registered, thereby reducing the dependency on traditional passwords. Organizations that enable ‘Microsoft Entra ID with passkeys’ in their Authentication Methods policy will allow users to sign in from various devices, provided that Conditional Access policies permit such actions.
The passkeys will utilize FIDO2 standards and will be stored in a secure local credential container, ensuring that they can only be used for authentication to Microsoft Entra ID via Windows Hello. This is distinct from Windows Hello for Business, which also facilitates device sign-ins.
| Feature | Microsoft Entra passkey on Windows | Windows Hello for Business |
|---|---|---|
| Standard base | FIDO2 | FIDO2 for authentication, first-party (1P) protocol for device sign-in |
| Registration | User-initiated, doesn’t require device join or registration | Automatically provisioned on some Microsoft Entra joined or registered devices during device registration |
| Device sign-in and single sign-on (SSO) | N/A | Enables device sign-in and SSO to Microsoft Entra-integrated resources after device sign-in |
| Credential binding | Bound to the device and stored in the local Windows Hello container. Users can register multiple passkeys for multiple work or school accounts on the same device. | Primarily a device-bound sign-in method linked to device trust. The credential is tied only to the work or school account used to register the device. |
| Management | Microsoft Entra ID Authentication methods policy | Microsoft Intune Group Policy |
Moreover, the cryptographic binding of passkeys to individual devices ensures that they are never transmitted over the network, effectively safeguarding them against phishing and malware attacks that aim to exploit multifactor authentication vulnerabilities.
While Microsoft has not elaborated on the specific motivations behind this feature’s introduction, it addresses a critical security gap that previously left personal and shared devices vulnerable to password-based Microsoft Entra ID authentication. Recent months have seen a surge in attacks targeting Microsoft Entra single sign-on accounts, with threat actors leveraging stolen credentials in a wave of data-theft incidents.
In a broader context, Microsoft has been proactive in enhancing security across its platforms. In October 2024, the company announced plans to make multifactor authentication registration mandatory for Entra tenants when security defaults are enabled. This initiative is part of the Secure Future Initiative, launched in November 2023, aimed at fortifying cybersecurity across Microsoft’s product suite. Furthermore, in May 2025, Microsoft revealed that all new accounts would be “passwordless by default,” a move designed to mitigate risks associated with brute-force attacks, credential stuffing, and phishing attempts.
