For years, passwords have been a necessary—though often frustrating—part of online security. However, with rising threats and a clear need for simplicity, tech innovators have been on a mission to find a better solution. Enter passkeys, the technology now making a passwordless future possible.
Recently, Microsoft added passkey support to Microsoft Entra ID, signalling a significant step towards mainstream adoption of this technology.
So, what exactly are passkeys, and how do they improve on even the most secure password-based methods, like multi-factor authentication (MFA)?
Let’s dive into what they are, how they work, and how they’re reshaping the future of online security.
A Brief History of Passwords and Authentication
The journey towards passkeys began decades ago. Early authentication simply used a username and password. But as technology advanced, so did hacking techniques, leading to the creation of OTPs (one-time passwords), two-factor authentication (2FA), and authenticator apps, all in an attempt to bolster security.
These methods have undoubtedly strengthened online security, but the biggest problem remains—users can still be tricked into sharing their credentials through phishing.
Why Phishing Remains a Key Security Threat
Most password-based security measures are vulnerable to phishing attacks. Attackers often pose as trusted sources to trick users into divulging credentials, often with tactics like fake login pages, emails, and phone calls. Even advanced methods, like number-matching MFA, are susceptible to social engineering tricks that can undermine user security.
With passkeys, phishing risks drop significantly because they verify a user’s physical presence rather than relying on knowledge (like a password) that could be shared with an attacker.
What Are Passkeys?
A passkey is a digital credential that replaces passwords with public-key cryptography, making it resistant to phishing attacks. When you create a passkey for a site, it generates a pair of cryptographic keys: a public key that’s stored with the website, and a private key kept secure on your device. When you log in, the site sends a challenge to your device, which your private key decrypts—without needing a password. To add an extra layer of security, the private key is only accessible through biometric verification or a PIN, verifying the user’s intent and presence.
This cryptographic pairing is facilitated by standards like WebAuthN and CTAP (Client to Authenticator Protocol), which ensure that passkeys can authenticate users securely across different platforms.
Types of Passkeys
There are two main types of passkeys:
- Device-bound Passkeys: Stored locally on a single device, often used in corporate settings where security is paramount. If the device is lost, the user typically needs a backup recovery method to access their accounts.
- Synced Passkeys: These are stored in the cloud, allowing for continuity across devices. For instance, a passkey created on an iPhone can be used on an iPad without additional setup.
Microsoft Entra and Passkey Integration
Microsoft’s integration of passkeys within Entra ID brings this technology to a broader audience, specifically enterprises that benefit from higher security standards. The initial implementation supports device-bound passkeys, with synced passkeys expected soon. This enables organisations to provide employees with phishing-resistant login options, reducing reliance on password-based authentication.
However, because passkeys are still emerging, Microsoft requires additional steps from IT admins, such as configuring specific settings in the Microsoft Authenticator app for compatibility.
What’s Next for Passkeys and Passwordless Authentication?
As companies like Microsoft, Apple, and Google continue to adopt and improve passkey technologies, the transition to a passwordless future seems inevitable.
However, it will require broader support from website providers to be truly seamless. Users should also be able to disable passwords entirely to maximise security benefits, though this raises challenges for account recovery if a device is lost or damaged.
Are Passkeys Right for Your Business?
The move to a passwordless future presents a valuable opportunity for businesses to enhance both security and user experience. If your organisation is interested in deploying passkeys or other advanced security solutions with Microsoft Entra ID, Dial A Geek can help you navigate this transition with ease.
Book a meeting with Gildas Jones to learn more about our managed IT solutions. With experience helping over 1,000 businesses across the UK, we’re here to support your path to a secure, passwordless future.