Entrapasskey

0x

More Successful Sign-ins vs Passwords

0%

Passkey Sign-in Success Rate

0

Shared Secrets Over Network

0%

Phishing Resistance

// Why Passkeys

Passwords Are the
Weakest Link

Passkeys replace phishable methods like passwords and SMS codes with origin-bound public key cryptography — credentials that can't be replayed or shared with malicious actors.

Phishing-Proof

Public key cryptography ensures credentials are bound to the legitimate site. Fake login pages can't intercept your keys.

Biometric Unlock

Sign in with a glance, touch, or PIN. Face ID, fingerprint, or Windows Hello — no passwords to remember or type.

Keys Stay Local

Private keys are stored in hardware security modules on your device — Secure Enclave on iOS, Android Keystore, or TPM on Windows.

Built-in MFA

Each passkey combines possession (your device) with a biometric or PIN — satisfying multi-factor requirements in a single gesture.

// Authentication Flow

How Passkeys Work

Built on FIDO2 and WebAuthn standards, passkeys use a challenge-response protocol that never exposes secrets.

1

Initiate Sign-in

User enters username

→

2

Challenge Sent

Entra ID sends nonce

→

3

Biometric Check

User unlocks private key

→

4

Signed Response

Authenticator signs challenge

→

5

Token Issued

Entra verifies & grants access

Step 1 — Initiate Sign-in

The user navigates to a Microsoft Entra-protected resource and enters their username. If a passkey was previously registered, the browser activates the WebAuthn API and prompts the user to authenticate with their passkey.

// Passkey Types

Device-Bound vs. Synced

Microsoft Entra supports both passkey types — choose based on your security posture and user population.

Characteristic	Device-Bound High Security	Synced Convenient
Private key location	Stays on single device	Encrypted in cloud vault
Cross-device availability	✕ One device only	✓ Syncs across devices
Best for	Admins, regulated industries	General workforce
Recovery if device lost	Re-register new key	Restore from cloud backup
Phishing resistant	✓ Yes	✓ Yes
MFA in single gesture	✓ Yes	✓ Yes
Examples	FIDO2 Keys Windows Hello	Apple Keychain Google Password Mgr
Attestation support	✓ Full	✕ Limited

// Getting Started

Enable Passkeys

Follow these steps in order to enable passkeys for your Microsoft Entra ID organization.

// Interactive Demo

Experience Passkey Sign-in

See how a passkey authentication flow feels — tap the button to simulate biometric verification.

Sign in to Entra ID

Simulated authentication flow — no real data is sent

// Common Questions

FAQ

Do passkeys require additional licenses?▾

No. Passkeys (FIDO2) are available in all Microsoft Entra ID editions, including Microsoft Entra ID Free. No extra licenses are needed.

What happens if I lose my device?▾

For device-bound passkeys, you'll need to re-register a new key on a new device. An admin can issue a Temporary Access Pass to let you authenticate and set up a replacement. For synced passkeys, your credential is backed up in your cloud vault (Apple Keychain, Google Password Manager) and restores automatically.

Can I have multiple passkeys per account?▾

Yes. Each Entra account can register multiple passkeys across different devices. Each device registers its own passkey, and multiple accounts can coexist on a single machine.

Does Windows Hello for Business replace passkeys?▾

Windows Hello for Business is still recommended for managed, Entra-joined devices. Passkeys supplement it by extending passwordless authentication to unmanaged Windows devices, personal PCs, and shared workstations.

Is Bluetooth required for cross-device sign-in?▾

Yes. Cross-device passkey authentication (like scanning a QR code from your phone to sign in on a desktop) requires both Bluetooth and an active internet connection on both devices.

Which mobile OS versions support passkeys?▾

iOS 17 and later, or Android 14 and later are required for passkey support in the Microsoft Authenticator app.

AuthenticationWithout Passwords