Hello guys and happy New Year. In todays blog post we will look into passkeys in Microsoft Authenticator.
But before we begin, let me explain what passkey's is:
Passkeys are a modern, secure way to log into apps and websites without using traditional passwords. Instead of entering a username and password, passkeys use a pair of cryptographic keys: a public key and a private key. Here's how they work:
Public and Private Keys: When you create a passkey, your device generates a public key and a private key. The public key is stored on the app or website, while the private key remains securely on your device.
Biometric Authentication: To log in, your device uses biometric authentication methods like FaceID, TouchID, or a PIN to verify your identity. Once authenticated, the private key on your device combines with the public key stored on the app or website to grant access
Security Benefits: Passkeys are unique to each app or website, making them resistant to phishing attacks. They cannot be guessed or shared, and since the private key never leaves your device, they are less vulnerable to data breaches
So, compared to security keys there is no need for physical key, making posskeys very user friendly and available everywhere and every time and keep the same type of protection.
When I first tested this out in June 2024, the setup process in My Security Info was a bit buggy and not so straightforward. I'm happy that Microsoft improved the setup process and maked it much easier for end users to setup passkey's.
Let's look into license requirements
To use passkeys we don't need any expensive licenses, it's enough with Business Premium license which also includes Entra P1
How to get started?
First of all, we need to make sure that FIDO2 passkeys method is activated in Entra ID -> Authentication methods
1. Sign in to https://entra.microsoft.com/ with at least as Authentication Policy Administrator
2. Go to Protection -> Authentication methods -> Policies and press on Passkey (FIDO2)
3. Enable this method and scope it to who ever you like and press on Configure
Now, let me explain what this different settings mean
Allow self-service set up – This option allows users to register passkeys in My Security Info or in Microsoft Authenticator application
Enforce attestation – Attestation performs a check at registration that the FIDO2 key is provided by a legitimate vendor by validating the metadata against the FIDO Alliance Metadata Service. Attestation is Enforce key restrictions is now supported for Microsoft Authenticator.
Enforce key restrictions – Allows you to add Authenticator Attestation GUIDs (AAGUID) to a block list to prevent particular models or manufacturers. When this is enabled a list of AAGUIDs is required. It can also be used to whitelist specific keys rather than block which means any not on the list will be blocked by default.
Microsoft authenticator - by checking this box you allow to use Microsoft's Android OS and iOS passkeys and they will automatically appear on your Allow/Block list as shown on the picture
If you want to AAGUID's of for example Yubico's security keys, they can be found here
https://support.yubico.com/hc/en-us/articles/360016648959-YubiKey-Hardware-FIDO2-AAGUIDs
Pro tip: If you already have registered an security key on your user account, you can find the AAGUID in easy way by signing in with your account to https://aka.ms/mysecurityinfo and finding AAGUID to your model there
With this method you can allow both iOS and Android Authenticator passkey's and for example the latest security keys from Yubico
User registration methods
There are two methods
1. Via https://aka.ms/mysecurityinfo --> Add sign in method ,choose Passkey in Microsoft Authenticator and follow the steps on your screen
2. Via Microsoft Authenticator app on your phone
1. Open your app
2. Find your username and press on it
3. Press Create a passkey and follow the steps on your screen
The last method is definitely the easiest and quickest one.
And now, some good news about passkeys
Source: Microsoft
So , start testing this out and use it. Let users have more options and allow use of security keys and passkeys. You can even enforce this method with your Conditional Access policies. Remember that you need to have at least one active MFA method to register a passkey. Same as I mentioned about security keys in my previous blog posts.
Stay secured guys!
Comments