Microsoft implements passkey authentication for personal Microsoft accounts

Microsoft announced that Windows users can now sign in to their Microsoft consumer accounts using a passkey, allowing them to authenticate using passwordless methods such as Windows Hello, FIDO2 security keys, biometrics (face scans or fingerprints). fingerprint) or device PIN.

Microsoft “consumer accounts” refer to personal accounts for accessing Microsoft services and products such as Windows, Office, 365, Outlook, One Drive, Copilot, and Xbox Live.

Microsoft announced new support for passcodes as part of World Password Day to increase security against phishing attacks, with the goal of eliminating passwords entirely in the future.

Microsoft’s steps towards passwordless authentication
Source: Microsoft

Microsoft had already added passkey support to Windows for signing in to websites and apps, but with added support for Microsoft accounts, consumers can now easily sign in without entering a password.

Access keys versus passwords

Passkeys are a form of passwordless authentication that uses a cryptographic key pair where the public key is stored on the service provider’s server and the private key is securely stored on the user’s device.

During authentication attempts, a challenge is created that requires the private key to resolve and confirm the user’s identity. Because the private key is protected by device-level security mechanisms, such as biometrics or a PIN, all the user has to do is provide that data to log in.

Because passcodes do not involve sharing a secret like a password that can be intercepted or stolen and are typically tied to a particular device, they are inherently resistant to phishing.

Additionally, they eliminate the need for users to remember and enter passwords, which often leads to risky practices such as password recycling or using weak passwords.

Finally, the access keys are compatible with different devices and operating systems, making the authentication process simple.

One thing to note is that Microsoft syncs your passcodes with your other devices instead of just storing different passcodes on each device. This is not the most secure method, as if an attacker gains access to your account, the passcodes would be synced to your device.

Microsoft says it is doing this for convenience reasons, allowing people to maintain access to their accounts when they upgrade or lose their devices.

How to enable passkey support

To use passcodes for Microsoft accounts, you must first create one by following this link and choosing the first option (Face, Fingerprint, PIN, or Security Key).

Next, follow the instructions on your device to finish creating a new passcode.

Currently supported platforms include:

  • Windows 10 and newer
  • macOS Ventura and later
  • Safari 16 or newer
  • ChromeOS, Chrome, Microsoft Edge 109 and newer versions
  • iOS 16 and newer
  • Android 9 and newer

When you sign in to your Microsoft account, select “Other ways to sign in,” select “Face, fingerprint, PIN, or security key,” and then select the passkey you saved earlier from the list.

Login process with access keys
Source: Microsoft

Your device will open a security window that handles the authentication process using the desired method.