Microsoft aims to combat phishing in passwordless logins with Entra passkeys.
Microsoft is introducing support for passkeys in Microsoft Entra on Windows, enabling users to log in password-free and with phishing resistance via Windows Hello.
Passwordless login on Windows
With this new feature, users can create passkeys that are stored in the Windows Hello container and bound to the device. Authentication then takes place via facial recognition, fingerprint, or a PIN. A key difference is that passkeys now also work on unmanaged Windows devices. Previously, such systems often still relied on traditional passwords.
The generated passkeys are cryptographically linked to the device and are never sent over the network. As a result, attackers cannot intercept them during phishing or malware attacks. Each Entra account also registers its own passkey per device. Multiple accounts can exist on a single computer, but passkeys are not synchronized between devices.
Activation via Entra policy
“To participate in the preview, IT administrators must enable the FIDO2 passkey authentication method in the Entra authentication policy and configure a passkey profile,” the company stated in a post. Microsoft has been working on reducing the use of passwords for some time. In 2025, the company announced that new Microsoft accounts would be passwordless by default to better protect users against phishing.
The feature will be rolled out globally as a public preview from mid-March to late April 2026. For government cloud environments, the rollout will follow between mid-April and mid-May.