Microsoft announced that Windows users can now log into their Microsoft consumer accounts using a passkey, allowing users to authenticate using password-less methods such as Windows Hello, FIDO2 security keys, biometric data (facial scans or fingerprints), or device PINs.
Microsoft "consumer accounts" refer to personal accounts for accessing Microsoft services and products such as Windows, Office, 365, Outlook, One Drive, Copilot, and Xbox Live.
Microsoft announced the new support for passkeys as part of World Password Day to increase security against phishing attacks, aiming to eliminate passwords altogether in the future.
Microsoft had already added passkey support to Windows for logging into websites and applications, but with the additional support for Microsoft accounts, consumers can now easily log in without entering a password.
Passkeys vs passwords
Passkeys are a form of password-less authentication that utilizes a cryptographic key pair where the public key is stored on the service provider's server, and the private key is stored securely on the user's device.
During authentication attempts, a challenge is created that requires the private key to solve and confirm the user's identity. As the private key is guarded by device-level security mechanisms like biometrics or a PIN, all the user has to do is provide that data to log in.
Because passkeys do not involve sharing a secret like a password that can be intercepted or stolen and are typically tied to a particular device, they are inherently resistant to phishing.
Moreover, they eliminate the need for users to remember and enter passwords, which often leads to risky practices such as password recycling or using weak passwords.
Finally, passkeys are compatible with different devices and operating systems, making the authentication process frictionless.
One thing to note is that Microsoft syncs your passkeys with your other devices rather than only storing distinct passkeys on each device. This isn't the most secure method, as if an attacker gains access to your account, the passkeys would then be synced to their device.
Microsoft says it's doing this for reasons of convenience, allowing people to maintain access to their accounts when upgrading or losing their devices.
How to enable passkey support
To use passkeys for Microsoft accounts, you first need to create one by following this link and choosing the first option (Face, fingerprint, PIN, or security key).
Next, follow the instructions on your device to finalize the creation of a new passkey.
Currently supported platforms include:
- Windows 10 and newer
- macOS Ventura and newer
- Safari 16 or newer
- ChromeOS, Chrome, Microsoft Edge 109, and newer
- iOS 16 and newer
- Android 9 and newer
When signing in to your Microsoft account, select "Other ways to sign in," select "Face, Fingerprint, PIN, or security key," then select the Passkey you saved earlier from the list.
Your device will open a security window that handles the authentication process using the desired method.
Comments
b1k3rdude - 1 month ago
Making logins more secure is commendable, but this is micro$haft. This is just another attempt/angle, to tie you into to their as now, known insecure online ecosystem.
buzzword - 1 month ago
Note this works with Bitwarden browser extension as well, saving the passkey in Bitwarden independent of platform (i.e. not saving in Windows or the native browser vault). I run Bitwarden on Firefox and it worked perfectly, in spite of Firefox not being in the list above.