MC690185 – Updated February 19, 2024: Microsoft has updated the rollout timeline below. Thank you for your patience.
Beginning mid-March 2024, Microsoft Entra ID will support device-bound passkeys stored on computers and mobile devices as an authentication method in preview, in addition to the existing support for FIDO2 security keys. This enables your users to perform phishing-resistant authentication using the devices that they already have.
We will be expanding the existing FIDO2 authentication methods policy and end user experiences to support this preview release. If your organization uses FIDO2 authentication or Windows Hello for Business, please continue reading to learn more and prepare for the upcoming changes.
Admin Configuration
In the Entra admin portal, we will be renaming “FIDO2 security keys” to “Passkeys (FIDO2)” within the authentication methods policy and Conditional Access authentication strengths policy.
For your organization to opt-in to this preview, you will need to enforce key restrictions to allow specified passkey providers in your FIDO2 policy. Here are the possible configuration states for FIDO2 key restrictions during the preview:
End User Registration Experience
In the My Security Info portal, a new registration option called “Passkey (preview)” will be shown to end users for registering a device-bound passkey on computers, mobile devices, or security keys.
*Towards the end of 2024, the existing security key registration option will be replaced by the newly introduced passkey option.
End User Sign-in Experience
The existing end user sign-in option for Windows Hello for Business and FIDO2 security keys will be renamed to “Face, fingerprint, PIN, or security key”. The term “passkey” will be mentioned in the updated sign-in experience to be inclusive of passkey credentials presented from security keys, computers, and mobile devices.
Previous Microsoft Entra Changelog Messages
Whether it’s Security or Cloud Computing, we have the know-how for you. Sign up for our newsletters here.