Executive Summary
- Passkeys replace traditional passwords and usernames with a faster, more secure authentication method using biometrics (fingerprint, face ID), a PIN, or a physical security key.
- Passkeys are much more secure than passwords, with built-in phishing protection, the elimination of weak passwords, device-bound security, and an (almost) total reduction in the risk of human error.
- Organisations using Microsoft 365 for business can implement passkeys using Microsoft Authenticator, Windows Hello for Business, or FIDO2 Security Keys for secure authentication across their organisation.
Introduction
Here’s a question: when is the last time you heard someone say, “Do you know what I absolutely love? Passwords!”
Right, us neither. It may even be a brand-new sentence.
In reality, passwords today are a security risk, a pain to remember, and a general nuisance. But did you know that a world already exists where you don’t actually need passwords anymore? That’s right-and, even better, it’s a world you can start living in right away if you’re a Microsoft 365 subscriber.
It’s time to say goodbye passwords, hello passkeys.
What is a passkey?
Basically, a passkey is a digital key that replaces passwords.
In fact, they replace both your username (or email address) and password.
Instead of typing in letters and numbers as your password, you use something you already have on you, your phone, your laptop, or a physical security key, with the digital key embedded. It’s a faster and more secure way to authenticate.
Passkeys use a kind of tech called public key cryptography, which is complicated but-most importantly-very secure. In plain English, it’s a digital “handshake” that happens between your device-bound passkey and the website or app you’re trying to access.
Are passkeys really more secure than passwords?
In a word, yes.
And here are four very good reasons why.
- Phishing protection. Passwords are vulnerable to phishing attacks. Malicious actors can create fake websites that look like the real deal, tricking you into entering your password. Passkeys are tied to the specific website or app, so they can’t be used on a fake site.
- No more weak passwords. We all know we shouldn’t use “password123”, but let’s be honest, we’ve all been guilty of using simple passwords at some point. Passkeys get rid of this problem entirely. They’re generated by your device and are incredibly strong.
- Device-bound security. Passkeys are linked to your device. Even if someone manages to get hold of your login details (which is much harder with passkeys), they still need access to your device to use them. This adds an essential extra layer of security.
- No memorisation required. Remembering loads of complex passwords is a pain. Passkeys solve this problem completely. You just use your fingerprint, face scan, or a PIN.
So, in a nutshell, passkeys are significantly more secure than passwords because they eliminate many of the vulnerabilities that passwords have always had.
Passwords vs. passkeys
At this point, you might be thinking, “But how is remembering a PIN different from remembering a password?”
An excellent question which raises a few important distinctions with device-bound passkeys as compared to passwords:
- Where they’re stored: A password is stored (usually in an encrypted format) on the service’s servers. This means if those servers are compromised, your password could be at risk. A passkey, on the other hand, is stored securely on your device. It never leaves your device, so even if a website’s servers are hacked, your passkey remains safe.
- How they’re used: When you enter a password, that password (or an encrypted version) is sent over the internet to the server for verification. With passkeys, only a cryptographically signed message is sent. This message proves you have the passkey without actually transmitting the passkey itself. This makes passkeys much more resistant to interception and phishing attacks.
- The “phishing” problem: As mentioned above, passwords are very susceptible to phishing. You might accidentally enter your password on a fake website designed to steal your credentials. Because passkeys are tied to the specific website or app they were created for, they can’t be used on a fake site. This makes phishing attacks targeting passkeys essentially useless.
Passkeys vs. Multi-Factor Authentication (MFA)
You might also be wondering how passkeys relate to multi-factor authentication (MFA).
MFA adds extra layers of security by requiring multiple forms of verification, such as a password and a code sent to your phone via text message. The important thing to understand is that passkeys are actually a form of MFA. They provide strong authentication by using something you have (your device) and something you are (your fingerprint or face) or something you know (a PIN).
In many cases, passkeys can completely replace traditional MFA methods like one-time codes, providing a more seamless and secure experience. They’re not a replacement for MFA, but rather a better way to do MFA.
How to use passkeys with Microsoft 365
There are a few ways you can use passkeys with Microsoft 365 to grant access to your organisation’s accounts via Microsoft Entra ID.
If you already have Microsoft 365 set up at your organisation, you have the following options to get started:
- Passkeys in Microsoft Authenticator: One of the fastest ways to get up and running with passkeys is the Microsoft Authenticator app. You’re probably already using it for MFA, but it can also store and manage passkeys. This is a great option for users who want to use passkeys across multiple devices and platforms, including mobile devices. The Authenticator app acts as a secure “container” for your passkeys, allowing you to use them to log in to Microsoft 365 via Entra ID and other websites and apps that support passkeys. This provides flexibility and convenience for users who access Microsoft 365 from various devices.
- Windows Hello for Business: This is a built-in Windows feature that uses biometric authentication (fingerprint, face ID) or a PIN to unlock a device and access resources, including Microsoft 365, on that specific Windows device. Windows Hello for Business integrates directly with Microsoft Entra ID (formerly Azure Active Directory) to provide secure access to cloud resources on that machine. It doesn’t require a separate physical key-instead, it uses the hardware already built into many modern laptops and devices (like fingerprint readers and webcams).
- FIDO2 Security Keys: These are physical hardware devices, a bit like small USB keys, that you plug into your computer. They provide a very strong form of authentication. When you use a FIDO2 security key, you physically interact with the key (often by touching a button) to confirm your login. This adds an extra layer of security because even if someone has your login details, they need physical possession of the key to gain access. This is particularly useful for high-value accounts or users who require the highest levels of security.
Is your organisation ready to go passwordless?
There’s no doubt that passkeys are a big step up in security for your organisation, even compared to the classic combination of password + one-time passcode. Not only are they more secure, but they’re also faster and easier for employees because there’s nothing to remember and very little room for human error.
If you’d like to know more about setting up passkeys in your organisation, ask your Get Support Customer Success Manager, or call us on 01865 594000.
