The era after the password

Traditional passwords are inferior in several ways: they are susceptible to phishing, are often considered weak or are used multiple times – which makes them the main target of attacks. Microsoft’s strategy for greater security and relief for admins: away from passwords and towards passwordless passkeys.

What are passkeys – and why are they more secure?

A passkey is not a password in the traditional sense, but a cryptographic key pair consisting of a public and a private key. The public key remains on the server, the private key remains securely stored on the device, typically in the secure hardware environment – TPM, Secure Enclave or app container.

Safety benefits:

  • No server stores sensitive private data – hackers only receive ineffective public keys.

  • Implemented biometrics (fingerprint, facial recognition) or PIN protects against unauthorized use.

  • Natural protection against phishing: Private keys are never transmitted and cannot be intercepted.

The picture shows a person using a biometric procedure to log in, to the astonishment of his colleagues

How passkey login works in practice

Logging in is intuitive and lightning fast: users click on “Use passkey” in Microsoft 365 and confirm by fingerprint, facial recognition or PIN – on the same or a synchronized device. The challenge is resolved by the private key and sent back to the server.
For multi-device scenarios (e.g. laptop and iPhone), systems can be synchronized or linked via QR code.

Microsoft’s integration of passkeys – an overview

In the foreground is a woman surrounded by various logos of Microsoft products which can now be unlocked with a passkey

Microsoft is integrating Passkeys in the Entra ID environment – the former Azure AD. The technology is already available and can be configured.

Supported authenticator types:

  • Microsoft Authenticator app (iOS/Android) for registration via passkeys
  • Windows Hello on modern Windows devices
  • FIDO2 Security Keys (e.g. YubiKey)

  • Browser with passkey support (Edge, Chrome, Safari)

Advantages for companies and Microsoft admins

There are clear advantages for security managers and IT managers:

  • Maximum security – public-private key pairs are highly resistant to hacker attacks and phishing
  • Less support effort – no password reset, fewer helpdesk tickets
  • Better UX – fast, intuitive authentication without entering a password
  • Efficiency gains – time savings due to less password management and complexity
  • Compliance boost – modern authentication procedures underpin zero trust strategies

Current status & roadmap

There are clear advantages for security managers and IT managers:

  • Public preview available since the beginning of 2024

  • Globally available planned for 2nd half of 2025

  • Upcoming functions:

    • Integration in local AD environments (hybrid scenarios)
    • Self-service passkey registration & recovery
    • Management via Conditional Access & Entra Policies

Current research (e.g. device bound vs. synced credentials) shows that passkeys offer a high level of security, but special care is required when synchronizing across multiple devices – the risk here lies with the passkey provider.
On June 27, 2025, Microsoft released the Windows 11 Insider Preview Build 26120.4520 (KB5060834) in the beta channel. This contains an important milestone for the passwordless future: the integration of third-party credential managers directly into the Windows login settings.

What does that mean in concrete terms?

Users can go to Settings > Passkeys > Advanced options to activate the so-called Plugin Credential Manager.

  • Prerequisite: Authentication via Windows Hello (face, fingerprint or PIN).
  • The function is currently being tested with the beta version of 1Password, with other providers to follow.

What’s new? – Briefly summarized!

Login to websites:
Passkeys from the third-party vault (e.g. 1Password) can be used directly to log in – one click, one authentication, done.

Saving new passkeys:
When visiting passkey-enabled websites, new keys can be created and saved in the Credential Manager – also secured by Windows Hello.

Cross-device use:
By opening up the plugin interface (API), it will be possible in future to use the same passkeys securely on multiple devices and across different providers.
Important note:
Microsoft is no longer just building the passwordless future into the core system, but modular and open to the ecosystem. For companies, this means that the hurdles for introducing Passkey are lowered – especially if solutions such as 1Password, Bitwarden or similar are already in use.

How to get started –
Recommendations for IT managers and admins

  1. Check infrastructure: Device policy, licenses, BIOS/firmware settings
  2. Define pilot group: IT-savvy users with low complexity
  3. Test passkey registration: e.g. via the Microsoft Authenticator app
  4. Design policies: Conditional access, MFA fallback, recovery scenarios
  5. Ensure communication: training courses, FAQs, information workshops
  6. Monitoring & support: check logins, establish helpdesk processes

Conclusion – The passwordless future starts now!

Passkeys are not a theory – they are ready for use and increasingly universally supported. For companies that want to combine security with usability, now is the starting signal. IT management & security must seize the momentum and introduce passkeys strategically.

We are happy to help you with the implementation of Passkeys in your Microsoft environment, please take a look at our FAQ on this topic.