Skip to main content

Entra ID Passkey

Due to the ever-increasing number of hacker attacks, it is now essential to take further account security measures to protect accounts from unauthorized intrusion. One measure published by Microsoft at the beginning of the year is Entra ID Passkey. 

Entra ID  

Microsoft Entra ID is the new name for the former Azure Active Directory (Azure AD). This renaming marks Microsoft's goal to unite identity and access management solutions under one roof. Entra ID retains the core features of Azure AD, such as single sign-on (SSO), multi-factor authentication (MFA) and conditional access, but adds new security services. This is part of the larger Microsoft Entra portfolio, which also includes Verified ID and Permissions Management, and provides a comprehensive solution for modern security challenges. 

https://learn.microsoft.com/de-de/entra/fundamentals/new-name

Passwordless login   

A passwordless login is a login that, as the name suggests, is possible without a password. For some time now, there have been options such as web authentication, the Microsoft Autenticator or hardware tokens that issue a unique code that must be entered. Each of these options has its advantages and disadvantages. One disadvantage of the code-specific login options is that they are phishable and can therefore be unintentionally passed on by the user to an attacker posing as a company administrator. However, even if other code-specific login options are phishable, they help with thorough user training to protect accounts from unauthorized access.

In order not to lose the connection to the employees who are to use such login options, it is necessary that these are convenient solutions. Despite the convenient solution, the login option should be as secure as possible. The Fast IDentity Online 2 (FIDO2) key in particular offers this with the current technology.

https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-passwordless#fido2-security-key-providers

The FIDO2 keys offer the advantage that they can be inserted into the PC or laptop like a USB stick and used to authenticate the person in question. It is therefore not possible to provide a one-off code or even a password and the account is completely protected against unauthorized access. In addition, it does not send any sensitive information due to its hardware-bound nature. Microsoft has published a list of supported authentication methods in a Microsoft Learn post.

https://learn.microsoft.com/en-us/entra/identity/authentication/concept-fido2-hardware-vendor

Passkey

The FIDO Alliance, which is the company behind FIDO, defines Passkey as follows: “Based on FIDO standards, passkeys are a replacement for passwords that provide faster, easier, and more secure sign-ins to websites and apps across a user’s devices. Unlike passwords, passkeys are always strong and phishing-resistant.

Passkeys simplify account registration for apps and websites, are easy to use, work across most of a user’s devices, and even work on other devices within physical proximity.“

Passkeys are an add-on to the FIDO2 standard and are intended to make it easier for users to use by not having to pair each authenticator with a user account.

Functionality FIDO2 Key 

https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-passwordless#fido2-security-key-providers

In the illustration shown, published by Microsoft, you can see exactly how a FIDO2 key works.

  1. First of all, the user must insert the FIDO2 key into the computer.
  2. In the next step, Windows recognizes the FIDO2 key
  3. Now that Windows has recognized the key, it can send an authentication request to Microsoft Entra ID
  4. Microsoft Entra ID sends back a nonce.
  5. Next, the user performs a gesture to unlock the private key. This private key is stored in the FIDO2 security key's secure enclave.
  6. Now the nonce is signed with the private key
  7. The primary refresh token (PRT) with the signed nonce is sent to Microsoft Entra ID
  8. The signed nonce is verified by Microsoft Entra ID using the FIDO2 key
  9. If the verification is successful, Entra ID returns the PRT and thus grants access to local resources 

Organization-wide activation of Entra ID Passkey

Step 1

Log in to Entra ID and open the "Protection" section. Click on "Autehntication methods" 

Open the item "Policies", which is located under "Manage" and click on "FIDO2 security key". 

Step 2

In the next step, there is the option of setting the FIDO2 key for all users ...

... or only for certain users. If the key should only be available for a selected group, e.g. to test it, then click on "Add group" to select the respective user.

Important, please note that only security groups are supported for this selection.

Note

Advanced settings can be made under the "Configure" tab.

Organization-wide activation of Entra ID Passkey in Microsoft Authenticator

Please note that the settings in the "Configure" tab are as follows:

  • Allow self-service set up: Yes
  • Enforce attestation: No
  • Enforce key restrictions: Yes
  • Restrict specific keys: Allow
  • “Select Microsoft Authenticator (preview) if the checkbox is displayed in the admin center. This setting automatically populates the Authenticator app AAGUIDs for you in the key restriction list. Otherwise, you can manually add the following AAGUIDs to enable the Authenticator passkey preview:
    - Authenticator for Android: de1e552d-db1d-4423-a619-566b625cdc84
    - Authenticator for iOS: 90a3ccdf-635c-4729-a248-9b709135078f “ ~
    https://learn.microsoft.com/de-de/entra/identity/authentication/how-to-enable-authenticator-passkey 
Add passkey

If a different window appears, this must be confirmed with "Next". 
Login with your account where you want to link your key on this side: Microsoft Azure

 

Step 1

Click on “Your Account”. Then on “View Account”

Step 2

Click on “Security Info“ (left on the navigation-bar OR in the middle-box) 

Step 3

Should see as Security info 2 factors (Password and MFA) Click on "Add sign-in method" for start setting up your YubiKey

Step 4

Choose as method “Security key“ and click on “Add“ after

following pops up this window. Hit “next“ → you should have received an MFA request via Microsoft Authenticator. Verify this and go to Step 5 

Step 5

Select as security key “USB device“ → Have your key ready to plug-in and click on “Next“ 

Step 6

Now pop´s-off Windows to ask were you want to save your Master-Key -> Choose Security Key and hit “next“ 

Step 7

Click on "Ok"

Step 8

Click on "Ok" 

Step 9

Enter a PIN and memorize it. 

Step 10

Interact with the key if necessary 

Step 11

Click on "Ok" 

Step 12

Name your Security key for your account (recommend for YubiKey). 

Last Step 13

If you followed every step you should see your YubiKey in list of the Security Info attached to your account. 

Note

We were unable to add a security key in Firefox as this led to an error.

Add passkey to Microsoft Authenticator

When adding the passkey to the Microsoft Authenticator, the actions differ between iOS and Android. You can find both instructions here: https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-register-passkey-authenticator?tabs=Android 

Sources

https://www.onlinesicherheit.gv.at/Services/News/Authentifizierung-ohne-Passwort.html

https://learn.microsoft.com/en-us/entra/identity/authentication/concept-fido2-compatibility

https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-passwordless#fido2-security-key-providers

https://www.cswrld.com/2024/04/how-to-enable-microsoft-authenticator-passkeys-in-entra-id/

https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-enable-authenticator-passkey

https://learn.microsoft.com/en-us/entra/identity/authentication/concept-fido2-hardware-vendor

http://bsi.bund.de/DE/Themen/Verbraucherinnen-und-Verbraucher/Informationen-und-Empfehlungen/Cyber-Sicherheitsempfehlungen/Accountschutz/Passkeys/passkeys-anmelden-ohne-passwort_node.html

https://fidoalliance.org/passkeys/

https://de.wikipedia.org/wiki/FIDO2#:~:text=Passkey%20ist%20ein%20Begriff%20aus,mit%20allen%20Benutzerkonten%20paaren%20muss.

Back to all blogs

Featured blogs