Microsoft Entra ID: MFA made easier - faster sign-ins, hassle-free recovery.
Almost half of Microsoft Entra ID users are now protected with Multi-Factor Authentication (MFA), per the latest Microsoft Digital Defense Report. Yet many organizations still face high costs because of training needs, usability challenges and productivity loss. At Microsoft Ignite 2025, we introduced two new features in Entra ID to address those challenges for existing MFA deployments and to increase adoption of MFA across users and organizations: synced passkeys and account recovery.
Public preview of synced passkeys brings the security benefits of MFA with simpler usability, while avoiding the security risks of weaker MFA options like SMS. However, even the simplest MFA can fail when credentials are lost, making account recovery a critical part of the user experience. To improve usability in such cases, we are introducing public preview for account recovery with AI-powered biometric match against government issued IDs across 192 countries.
Refining the MFA experience for mass adoption: Over the past year, synced passkeys have become the default sign-in method for hundreds of millions of people to sign into their personal email, cloud storage, and countless other apps and services. In fact, Microsoft consumer users are 3x more successful when signing-in with passkeys than legacy authentication methods (95% vs 30%). Sign-ins are 14x faster compared to password plus code-based MFA. Best of all, synced passkeys are natively supported by all major operating systems.
We’ve built deep connections across our consumer and enterprise platforms, enabling cross-pollination of learnings and rapid delivery of usability enhancements. Every improvement now benefits Microsoft accounts, Entra ID, and External ID together, bringing a consistent, intuitive experience to both consumers and enterprises. This unified approach means enhancements reach users faster, and at scale. The public prev
iew of synced passkeys with these improvements brings MFA simplicity at scale for all enterprise users. And we’re just getting started. As these improvements reach general availability, we’re focused on making passkeys and high-assurance recovery the default for all enterprise customers—so usability isn’t an afterthought, it’s the foundation.
Let’s explore the end-user experience for both capabilities and how organizations can easily deploy them.
Simpler MFA experience with synced passkeys
Synced passkeys represent a newer, more user-centric approach to authentication that removes the password entirely, works across devices via services like iCloud Keychain and Google Password Manager. This method offers a seamless experience: users authenticate with biometrics or device PINs, without needing to remember or enter passwords or codes.
Sign in experience with synced passkeys
“It’s the future. Focus on passkeys. Now you have a truly fast username-less and passwordless authentication method protected against phishing.”
- Customer in leading global retail
Easy to deploy synced passkeys: Our enterprise customers want a better MFA experience with passkeys. Many customers worry about the enrollment process, usability problems, and higher helpdesk costs when rolling out new authentication methods.
Passkey profiles for granular admin controlAdmins can now allow granular group-based configuration for passkey authentication. Instead of a single tenant-wide setting, admins can choose specific requirements such as attestation, passkey type (device-bound or synced) and the specific passkey from a specific provider that they want their users to use, and apply them to different user groups in the enterprise.
Convenient high assurance account recovery
Even the simplest MFA can fail when credentials are lost - making recovery a critical part of user experience. When users can’t access their normal sign-in info or are unable to access their passkeys, proving one’s identity becomes a real headache. Not only is the experience clunky (e.g. knowledge-based questions or round-trip codes) and frustrating, it’s ripe for impersonation attacks. As a result, analysts and major government agencies such as NIST recommend using government issued ID and biometric verification for high assurance recovery. However, there are challenges with verification at scale. Most enterprises are unable to implement such a solution because of custom business contracts and complicated technical implementation with ID verification (IDV) providers, and regulatory compliance.
Setting up account recovery is as easy as 1-2-3
Microsoft Entra account recovery in Microsoft Entra helps users regain access quickly and securely, leveraging government issued ID and biometric verification to deliver high assurance. Securing account recovery is simple in a few steps. Our new approach makes it secure, compliant, and integrated with a consumer-grade user experience, without custom business contracts or technical integrations. What used to take months can now be done in minutes.
Account recovery admin setupAs shown above, admins can simulate the account recovery process before activating use for production, as well as configure specific groups of users and the preferred IDV provider to enable a seamless flow.
Entra ID customers can choose amongst the leading IDV providers via Microsoft Security Store: Idemia, Lexis Nexis and Au10tix. These providers offer coverage across 192 countries and remote verification for most government issued ID documents, including driver’s licenses and passports. Entra Verified ID Face Check, powered by Azure AI services, adds a critical layer of trust by matching a user’s real-time selfie and the photo from their identity document. By only sharing the match results and not any sensitive identity data, Face Check improves user privacy while allowing organizations to be sure the person claiming an identity is really them.
Convenient recovery for all your users
Once enabled, this public preview capability enables a natively integrated end-to-end flow for users to easily and securely regain access to their accounts.
Account recovery user flowThe Entra sign in experience now includes a new option to 'Recover my account'. Once users initiate the flow, they will be guided through the steps to verify their identity by providing their driver’s license or other government issued documents with the IDV provider preferred by the organization. Users will do a quick face check to ensure the rightful owner is verifying their government issued ID with the IDV provider, by matching liveness with the photo from the ID document. Entra ID then matches information (such as, name, or address) returned in the Verified ID from the IDV provider with the information in the organization's directory and HR system. Once the verification is complete, user is offered to register a synced passkey to reduce further lockouts.
Inspark, a leading cybersecurity company shares, "Identity is the top attack vector and AI makes it easier to exploit. Verified ID enables convenient account recovery, reduces our recovery-related service desk costs by 72%, and protects against social engineering. No passwords. No weak authentication. Just secure, verifiable access."
Licensing requirements
| Passkeys | Included for all Microsoft Entra ID customers |
| Account recovery | Included with Microsoft Entra ID P1 license |
| Face Check | Available as an add-on per verification or as part of Microsoft Entra Suite |
| Government ID check | Pay-per-verification via Microsoft Security Store |
Resources
Continuously improving usability for every authentication and recovery experience is foundational. Get started today and share your feedback with us. We love hearing from you!
Ankur
Learn more about Microsoft Entra
Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions for workforce, customers, and non-human identities.
Microsoft