cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

New Blog | Public preview: Expanding passkey support in Microsoft Entra ID

DavidFernandes
Microsoft

‎May 02 2024 10:15 AM

‎May 02 2024 10:15 AM

New Blog | Public preview: Expanding passkey support in Microsoft Entra ID

By Alex Weinert

 

We really, really want to eliminate passwords. There’s really nothing anyone can do to make them better. As more users have adopted multifactor authentication (MFA), attackers have increased their use of Adversary-in-the-Middle (AitM) phishing and social engineering attacks, which trick people into revealing their credentials.  

 

How can we defeat these attacks while making safe sign-in even easier? Passkeys!  

 

A passkey is a strong, phishing-resistant authentication method you can use to sign in to any internet resource that supports the W3C WebAuthN standard. Passkeys represent the continuing evolution of the FIDO2 standard, which should be familiar to anyone who’s followed or joined the passwordless movement. We already support signing into Entra ID using a passkey hosted on a hardware security key and today, we’re delighted to announce additional support for passkeys. Specifically, we’re adding support for device-bound passkeys in the Microsoft Authenticator app on iOS and Android for customers with the strictest security requirements.

 

Before we describe the new capabilities we’re adding to Microsoft Authenticator, let’s review the basics of passkeys.

 

Passkeys neutralize phishing attempts

 

Passkeys provide high security assurance by applying public-private key cryptography and requiring direct interaction with the user. As I detailed in a previous blog, passkeys benefit from “Verifier Impersonation Resistance": 

 

  • URL-specific. The provisioning process for passkeys records the relying party’s URL, so the passkey will only work for sites with that same URL. 
  • Device-specific. The relying party will only grant access to the user if the passkey is synched, stored, or connected to the device from which they’re requesting access.  
  • User-specific. The user must prove they’re physically present during authentication, usually by performing a gesture on the device from which they’re requesting access.  

 

Together, these characteristics make passkeys almost impossible to phish.

 

Read the full post here: Public preview: Expanding passkey support in Microsoft Entra ID

 
Labels:
278 Views
1 Like
0 Replies
Reply
0 Replies