Awhile back, Microsoft released a preview of soft Passkeys in Microsoft Authenticator. At its core, this feature delivers a cross-device authentication FIDO credential, encapsulated securely within the Microsoft Authenticator app, bound to the device on which it’s created. Now, this feature is finally moving to general availability!
Why do Passkeys matter?
One of the biggest hurdles to implementing FIDO authentication is the physical security key. For privileged accounts or high-stakes environments, I recommend hardware security keys all day long. However, the fact of the matter is that people are going to lose physical security keys. Therefore you need a backup, so your users need two security keys. This doubles the cost of your implementation. As such, security keys are often limited to said high stakes or privileged situations for many (except us nerds who use them everywhere we can).
That’s where Passkeys come in. Passkeys take the same concept of authentication via asymmetric cryptography and put it on your smartphone as a soft token. That means that through a combination of BLE and some other magic (Cross-Device Authentication), and put it on a device that people almost never lose. Passkeys, in my opinion, close the strong-authentication gap that existed when we only had physical security keys in play.
Get Started
Rolling Passkeys in Authenticator out is relatively simple. Check out this Microsoft Learn article to get going. However, there are a couple of things to keep in mind if you have physical security keys out there today:
- You must enforce attestation in your security key policy. This should be a non-issue for most, as basically all certified FIDO keys can do this (i.e. they have an AAGUID)
- You must know the AAGUIDs of your security keys. During the enablement process, you’ll be whitelisting AAGUIDs (including the MS Authenticator AAGUIDs). As such, you need to also add the AAGUIDs of the hardware security keys that are in play within your environment. If you’re using Yubikeys, you can find a nice list of those here. If not, check your manufacturer’s website.
- End users must be running Android 14 or newer or iOS 17 or newer, as those operating systems introduce support for multiple Passkey providers. This is also the magic that drives support for 1Password passkeys on mobile.
