Passwordless Gets Practical for Enterprise Fleets
Microsoft has begun the general availability rollout of passkey support within Microsoft Entra ID for Windows devices, with full availability targeted by mid-June 2026. The capability covers managed devices (Entra-joined, hybrid-joined), unmanaged personal devices using Microsoft Authenticator, and shared-device configurations including kiosk and frontline worker scenarios — addressing the full range of device models that enterprise environments actually operate.
Passkeys are hardware-bound cryptographic credentials that authenticate the user via device-resident biometrics or PIN without transmitting a reusable secret across the network. Unlike passwords, they cannot be phished — a passkey created for login.microsoft.com will not function on a spoofed domain. Unlike TOTP or SMS codes, they do not produce one-time values that a real-time phishing proxy can relay mid-session to complete an attacker’s authentication.
What Changes for Enterprise Deployments
The rollout introduces several operationally significant capabilities:
Device-bound passkeys on Windows Hello: Users on Entra-joined Windows devices can register passkeys stored in the device’s TPM (Trusted Platform Module). The credential is cryptographically bound to the physical device and cannot be exported. Physical possession of the device is required — stolen credentials alone cannot be used remotely.
Authenticator app passkeys (cross-device): For users authenticating from multiple devices or personal hardware, Microsoft Authenticator on iOS and Android can store a passkey that works via FIDO2 cross-device authentication. This covers BYOD and hybrid work patterns without requiring corporate hardware enrolment.
Shared device support: Passkeys in shared-device mode allow frontline workers to authenticate to shared terminals without persistent per-user accounts. This closes a credential hygiene gap prevalent in retail, healthcare, and manufacturing environments where shift workers share workstations and reuse credentials.
Policy Controls Available Now
Entra administrators can require passkey authentication as a Conditional Access condition using AuthenticationStrength policies. Specific applications, sensitive data classifications, or privileged roles can be locked to FIDO2/passkey authentication — sessions that used a password or weaker MFA factor are denied. The Authentication Methods policy in the Entra admin centre controls which methods are permitted, enabling staged rollouts by department or risk tier.
Why This Matters Given the Current Threat Landscape
The AI-assisted device-code phishing campaign disclosed earlier this month demonstrated that MFA bypass techniques are now commoditised. Device-code phishing, adversary-in-the-middle (AiTM) proxies, and MFA fatigue attacks all exploit the gap between password-plus-code authentication and genuine phishing resistance. That gap closes at the credential layer with passkeys.
Both the NSA and CISA have designated phishing-resistant MFA as the baseline authentication standard in their published guidance. CISA’s Secure by Demand guidelines explicitly name FIDO2 as the reference implementation. Microsoft’s Entra passkey GA makes that requirement achievable on standard enterprise Windows infrastructure without additional hardware token procurement.
Recommended Actions
- Begin a passkey pilot with privileged accounts: Entra Global Admins, Privileged Role Administrators, and high-value service account owners represent the highest-value phishing targets — enrol these users first
- Configure Conditional Access
AuthenticationStrength: Require passkey or FIDO2 for applications handling regulated data, financial operations, or administrative functions - Communicate the new authentication flow to end users: The transition from password-plus-app-approval to passkey-plus-biometric requires a brief user-facing touchpoint; brief help desk staff before broad rollout to manage support volume
- Inventory legacy authentication clients: Passkeys cannot be used with legacy protocols (NTLM, basic auth). Any applications that bypass modern authentication will require remediation before passkey enforcement is complete across the environment
- Review Windows Hello for Business deployment: If WHfB is already deployed, passkey support builds on the same TPM infrastructure — the administrative overhead for expansion is low
Share this article