Microsoft Entra Adds Windows Passkey Support via Windows Hello
Microsoft is rolling out passkey support for Microsoft Entra on Windows devices, enabling phishing-resistant, passwordless sign-in using Windows Hello (face, fingerprint, or PIN). The capability is opt-in and is scheduled to enter public preview from mid-March through late April 2026 for worldwide tenants, with government cloud environments (GCC, GCC High, DoD) following in a later window. A key security impact is that Entra passkeys extend passwordless authentication to unmanaged Windows devices (e.g., personal/shared endpoints) that previously often fell back to passwords.
Microsoft states the passkeys are device-bound and stored in the Windows Hello container; they are cryptographically bound to the device and not transmitted over the network, reducing exposure to credential phishing and certain malware-based theft scenarios used to bypass MFA. Each Entra account registers its own passkey per device (multiple accounts can coexist on one machine), but passkeys do not sync across devices, requiring separate registration per device. For preview enrollment, administrators must enable the Passkeys (FIDO2) authentication method in Entra Authentication Methods policies, create a passkey profile with the required Windows Hello AAGUIDs, and assign it to the appropriate groups.
Related Entities
Organizations
Affected Products
Sources
Related Stories
Microsoft and Bitwarden Expand Windows 11 Enterprise Authentication and Endpoint Onboarding Capabilities
*Bitwarden* announced support for **passkey-based login on Windows 11**, enabling phishing-resistant, passwordless sign-in using passkeys stored in a user’s encrypted Bitwarden vault. The flow uses the Windows “security key” option and a QR-code confirmation from a mobile device, with authentication performed via cryptographic challenge/response rather than transmitting shared secrets; Bitwarden positions this as reducing credential theft risk from phishing. The capability depends on Microsoft’s Windows 11 passkey provider support and requires specific enterprise conditions, including **Entra ID–joined devices**, **FIDO2 security key sign-in enabled**, and a **registered Entra ID passkey** stored in Bitwarden. Microsoft also introduced an updated **Defender deployment tool for Windows** aimed at streamlining large-scale endpoint onboarding into Microsoft Defender. The tool packages onboarding information into a single downloadable `.exe` (reducing the need for separate onboarding files across modern and legacy systems), supports silent/non-interactive deployment via tools like Group Policy or Configuration Manager, and adds administrative controls to reduce risk if onboarding packages are shared externally (e.g., identifiers/keys, tracking, and package expiration up to one year). Microsoft Defender portal updates add improved guidance and visibility, with onboarding events surfaced in device timelines and advanced hunting to help teams monitor progress and troubleshoot errors during rollout.
1 weeks agoWindows 11 and Password Managers Expand Passkey Support
Microsoft has introduced a new Windows API that allows third-party applications, such as 1Password, to manage passkeys directly within Windows 11. This integration enables users to create, sync, and manage passkeys using their preferred password manager, leveraging Windows Hello for authentication. The update aims to simplify the user experience by allowing password managers to take over credential management from Windows, making it easier for users to adopt passkeys for secure authentication across devices and services. The shift towards passkey authentication is part of a broader industry move to replace traditional passwords with more secure, phishing-resistant credentials. Passkeys utilize cryptographic methods and can be managed by platform, virtual, or roaming authenticators, with password managers increasingly supporting software-only (virtual) authenticators. This approach addresses longstanding security issues associated with passwords, such as susceptibility to phishing and poor user password hygiene, and is expected to become the standard for online authentication as more services adopt passkey support.
4 months agoPasswordless Authentication and Passkey Adoption for Fraud Prevention
Microsoft has begun rolling out support for syncing passkeys across Windows devices and its Edge browser, addressing a key barrier to widespread adoption of passwordless authentication. This phased rollout starts with Edge on Windows 10 and 11, with plans to expand to iOS, Android, and MacOS, aiming to make passkey management seamless for users and organizations. The move is expected to accelerate the shift away from traditional passwords, leveraging the FIDO Alliance's non-phishable passkey standard to enhance security and usability across platforms. Industry experts highlight that passwordless authentication is not just a technological upgrade but a critical component in modern fraud prevention strategies. As organizations transition to passkeys and device-based authentication, they face challenges such as cross-device access and user education. Integrating behavioral analytics with passwordless systems is seen as essential for detecting sophisticated fraud attempts, including those involving AI-driven identity spoofing and deepfakes, ensuring both external and internal threats are mitigated effectively.
4 months ago