Microsoft is set to introduce passkey support for secure passwordless authentication on Microsoft Entra-protected resources from Windows devices starting in late April.
This feature is anticipated to be widely available by mid-June 2026 and will also expand passwordless sign-in capabilities to unmanaged Windows devices.
According to Microsoft, Entra passkeys on Windows will cater to corporate, personal, and shared devices, with administrative controls managed through Conditional Access and Authentication Methods policies.
“Users can create device-bound passkeys stored in the Windows Hello container and authenticate using Windows Hello methods (face, fingerprint, or PIN),” Microsoft stated in a message center update.
“This advancement extends passwordless authentication support to Windows devices that are not Microsoft Entra-joined or registered, assisting organizations in enhancing security and reducing dependence on passwords in various device scenarios, including corporate-managed, personal, and shared devices.”
This new security feature will be accessible to organizations that have activated ‘Microsoft Entra ID with passkeys’ within the ‘Authentication Methods policy’ for users signing in to Windows devices that are not Microsoft Entra-joined or registered, subject to Conditional Access policies permitting it (e.g., from corporate-managed, personal, or shared devices).
Moreover, it facilitates the generation of FIDO2 passkeys stored in a secure local credential container solely for authentication to Microsoft Entra ID via Windows Hello using facial recognition, fingerprint, or PIN (unlike Windows Hello for Business, which also enables device sign-ins).
| Feature | Microsoft Entra passkey on Windows | Windows Hello for Business |
|---|---|---|
| Standard base | FIDO2 | FIDO2 for authentication, first-party (1P) protocol for device sign-in |
| Registration | User-initiated, doesn’t require device join or registration | Automatically provisioned on some Microsoft Entra joined or registered devices during device registration |
| Device sign-in and single sign-on (SSO) | N/A | Enables device sign-in and SSO to Microsoft Entra-integrated resources after device sign-in |
| Credential binding | Bound to the device and stored in the local Windows Hello container. Users can register multiple passkeys for multiple work or school accounts on the same device. | Primarily a device-bound sign-in method linked to device trust. The credential is tied only to the work or school account used to register the device. |
| Management | Microsoft Entra ID Authentication methods policy | Microsoft Intune
Group Policy |
Additionally, passkeys are cryptographically bound to each device and never transmitted over the network, safeguarding against theft during phishing or malware attacks to circumvent multifactor authentication.
While the specific rationale for introducing this feature was not disclosed, Microsoft Entra passkeys on Windows address a security vulnerability that previously made personal and shared devices reliant on password-based Microsoft Entra ID authentication.
In recent times, threat actors have focused on targeting Microsoft Entra single sign-on (SSO) accounts using stolen credentials in a surge of SaaS data-theft incidents.
BleepingComputer reached out to Microsoft for further insights, yet a response was not immediately forthcoming.
In October 2024, Microsoft announced plans to enhance security within Entra tenants by mandating multifactor authentication (MFA) registration when security defaults are enabled, as part of the Secure Future Initiative launched in November 2023 to bolster cybersecurity protection across its offerings.
Furthermore, in May 2025, Microsoft revealed that all new Microsoft accounts will default to a “passwordless” setup to fortify defenses against brute-force, credential stuffing, and phishing attacks.
An AI amalgamated four zero-day vulnerabilities into a single exploit that evaded both renderer and OS sandboxes, heralding a wave of forthcoming exploits.
Explore how autonomous, context-rich validation at the Autonomous Validation Summit (May 12 & 14) identifies exploitable vulnerabilities, verifies control efficacy, and closes the remediation loop.
Claim Your Spot
EU Takes Action Against Instagram and Facebook for Violating Illegal Content Rules
Warning: Facebook Creators Face Monetization Loss for Stealing and Reposting Videos
Facebook’s New Look: A Blend of Instagram’s Style
Facebook Compliance: ICE-tracking Page Removed After US Government Intervention
Facebook and Instagram to Reduce Personalized Ads for European Users
InstaDub: Meta’s AI Translation Tool for Instagram Videos
Reclaim Your Account: Facebook and Instagram Launch New Hub for Account Recovery
Meta discontinues Messenger apps for Windows and macOS
Subscribe to our weekly newsletter below and never miss the latest News or an exclusive offer.
