Microsoft

Microsoft announced that Windows users can now log into their Microsoft consumer accounts using a passkey, allowing users to authenticate using password-less methods such as Windows Hello, FIDO2 security keys, biometric data (facial scans or fingerprints), or device PINs.

Microsoft "consumer accounts" refer to personal accounts for accessing Microsoft services and products such as Windows, Office, 365, Outlook, One Drive, Copilot, and Xbox Live.

Microsoft announced the new support for passkeys as part of World Password Day to increase security against phishing attacks, aiming to eliminate passwords altogether in the future.

Microsoft's steps towards password-less authentication
Microsoft's steps towards password-less authentication
Source: Microsoft

Microsoft had already added passkey support to Windows for logging into websites and applications, but with the additional support for Microsoft accounts, consumers can now easily log in without entering a password.

Passkeys vs passwords

Passkeys are a form of password-less authentication that utilizes a cryptographic key pair where the public key is stored on the service provider's server, and the private key is stored securely on the user's device.

During authentication attempts, a challenge is created that requires the private key to solve and confirm the user's identity. As the private key is guarded by device-level security mechanisms like biometrics or a PIN, all the user has to do is provide that data to log in.

Because passkeys do not involve sharing a secret like a password that can be intercepted or stolen and are typically tied to a particular device, they are inherently resistant to phishing.

Moreover, they eliminate the need for users to remember and enter passwords, which often leads to risky practices such as password recycling or using weak passwords.

Finally, passkeys are compatible with different devices and operating systems, making the authentication process frictionless.

One thing to note is that Microsoft syncs your passkeys with your other devices rather than only storing distinct passkeys on each device. This isn't the most secure method, as if an attacker gains access to your account, the passkeys would then be synced to their device.

Brian Tweet

Microsoft says it's doing this for reasons of convenience, allowing people to maintain access to their accounts when upgrading or losing their devices.

How to enable passkey support

To use passkeys for Microsoft accounts, you first need to create one by following this link and choosing the first option (Face, fingerprint, PIN, or security key). 

Next, follow the instructions on your device to finalize the creation of a new passkey.

Currently supported platforms include:

  • Windows 10 and newer
  • macOS Ventura and newer
  • Safari 16 or newer
  • ChromeOS, Chrome, Microsoft Edge 109, and newer
  • iOS 16 and newer
  • Android 9 and newer

When signing in to your Microsoft account, select "Other ways to sign in," select "Face, Fingerprint, PIN, or security key," then select the Passkey you saved earlier from the list.

Sign-in process with passkeys
Sign-in process with passkeys
Source: Microsoft

Your device will open a security window that handles the authentication process using the desired method.

    Related Articles:

    AWS adds passkeys support, warns root users must enable MFA

    ONNX phishing service targets Microsoft 365 accounts at financial firms

    New phishing toolkit uses PWAs to steal login credentials

    Warmcookie Windows backdoor pushed via fake job offers

    Gitloker attacks abuse GitHub notifications to push malicious OAuth apps