Hello Everyone, In this blog, we will explore passkeys, a phishing-resistant, Passwordless authentication method based on the Fast Identity Online (FIDO2) standard, now available in Entra ID. With the constantly evolving security threat landscape, passwords combined with multi-factor authentication (MFA) are no longer sufficient. Stronger, more secure authentication methods are essential to address modern security challenges.
Microsoft has been at the forefront of this evolution, introducing Windows Hello for Business in 2015 and expanding Passwordless options with FIDO2 authentication in 2019. Additionally, the Microsoft Authenticator App with phone sign-in offered a convenient Passwordless solution. However, this method lacked phishing resistance due to its inability to guarantee proximity between the user's device and the authenticator app. This gap may left users vulnerable to social engineering attacks where attackers could deceive users into entering codes. To combat such risks, phishing-resistant Passwordless authentication methods, including enhanced support for Microsoft Authenticator, have become critical.
Picture above depict how an attacker can persuade user to authenticate using authenticator app.
How Passkeys Registration and Authentication Work Across Devices and Platforms
Passkeys work by leveraging public-key cryptography (PKI) for authentication, providing a seamless and secure login experience across devices and platforms. Let’s break down how passkeys operate in real-world scenarios and their cross-platform advantages.
Let’s begin by understanding how the registration of a passkey works. When a user accesses a website or Relying Party (RP), such as www.linkedin.com , that supports passkeys from a Windows client via a browser, the website or RP sends a nonce (a one-time random value) to the browser. The browser, running on the client device, forwards that nonce to the authenticator, in this case, the Microsoft Authenticator App. The client prompts the user to select an authenticator. The user can choose another device, such as an iPhone, iPad, or Android device running the Microsoft Authenticator App, or a physical security key.
The authenticator generates a key pair: a public key and a private key. It also provides an option for storing the keys, such as in iCloud Keychain, Google Password Manager, or the Microsoft Authenticator App. The private key is securely stored within the authenticator and is used to sign the nonce. The signed nonce, along with the public key, is sent back to the browser, which forwards it to the website or RP (www.linkedin.com ) for storage. This completes the passkey registration process.
Now, let’s understand how the authentication process works. When the same user accesses the same website or RP (www.linkedin.com ) for which they registered the passkeys, from a Windows client device using a browser, the system checks if the website’s domain matches the Relying Party ID (RPID). A component within the browser called Web Authentication (WebAuthN) ensures that the website URL and the RPID match. If no match is found, the process is halted. If a match is found, the website sends a nonce to the browser, which forwards it to the authenticator to further process authentication. If a user selects authenticator on another device like iPhone or Android device, browser shows a QRCode on screen for User to scan. This QRCode has information about the website or RP user is accessing. When User scans the QrCode in authenticator, it detects the passkey in authenticator and asks user to select.
When the user opens the Microsoft Authenticator App on their mobile phone, and the Windows client device establishes proximity with the mobile device using either NFC, Bluetooth, or USB. This connectivity, referred to as the Client to Authenticator Protocol (CTAP), ensures secure communication. The user is then challenged with biometric to unlock the private key stored in authenticator and sign the nonce. The signed nonce is returned to the browser, which forwards it to the website or RP to complete the authentication process.
If you observe closely, the user is accessing website or RP from Windows client device and authenticator is running on either iPhone or Android. This process not only enables passkey authentication across devices, but it also allows cross-platform functionality. Additionally, WebAuthN provides an extra layer of security by verifying the website’s URL against the RPID, protecting against phishing attacks.
I hope you found this article informative. I will be back soon with more interesting article on Microsoft Entra ID.
Microsoft
