Microsoft is introducing phishing-resistant passwordless authentication for Windows devices through passkeys integrated with its enterprise identity platform, Microsoft Entra.
The company announced that the feature will begin rolling out in public preview between mid-March and late April 2026 for global tenants, with government cloud environments—including GCC, GCC High, and DoD—scheduled to receive the update between mid-April and mid-May.
The new capability enables users to sign in to Entra-protected resources using device-bound passkeys stored in Windows Hello, providing an authentication method designed to resist phishing and credential theft.
Expanding Passwordless Sign-Ins to More Windows Devices
According to Microsoft, the update significantly expands the reach of passwordless authentication across Windows environments. Previously, organizations could deploy passwordless authentication primarily on devices that were joined or registered with Entra, often leaving unmanaged or personal devices dependent on traditional passwords.
The new passkey support closes that gap.
Users will be able to create device-bound passkeys stored within the secure Windows Hello container, then authenticate using biometric or local verification methods such as:
- Facial recognition
- Fingerprint scanning
- A secure PIN tied to the device
Microsoft said the change will allow employees to access corporate resources protected by Entra without entering passwords—even when using shared or personal Windows machines that are not formally enrolled in the organization’s device management system.
“This update allows users to create device-bound passkeys stored in the Windows Hello container and authenticate using Windows Hello methods,” Microsoft said in a message to administrators via the Microsoft 365 Message Center. “It also expands passwordless authentication to Windows devices that aren’t Entra-joined or registered, helping organizations strengthen security and reduce reliance on passwords.”
How Entra Passkeys Improve Security
Passkeys rely on public-key cryptography, a security model designed to prevent the types of credential theft that fuel most account compromises.
When a passkey is created:
- A private cryptographic key is generated and stored securely on the user’s device.
- A matching public key is registered with the service—in this case, Entra.
- During sign-in, the device proves possession of the private key through a cryptographic challenge rather than transmitting a password.
Because the private key never leaves the device, attackers cannot intercept it through phishing websites, network monitoring, or credential-stealing malware.
Security experts increasingly view passkeys as a major step forward compared with passwords or even traditional multi-factor authentication (MFA) systems that rely on one-time codes. Many phishing campaigns today are capable of capturing MFA codes in real time, allowing attackers to bypass protections.
With passkeys, the authentication process is cryptographically tied to the legitimate website or service, preventing fraudulent login prompts from succeeding.
Device-Bound Authentication
Microsoft’s implementation for Entra on Windows uses device-bound passkeys, meaning each passkey is linked to a specific device.
Key characteristics include:
- Passkeys are stored locally in the Windows Hello secure container.
- They cannot be exported or synchronized between devices.
- Each Entra account must create a separate passkey for each device used.
Multiple Entra accounts can exist on a single Windows machine, each maintaining its own passkey.
While this approach strengthens security by limiting exposure if a device is compromised, it also means users will need to register passkeys individually across their devices, such as work laptops, home PCs, or shared workstations.
Administrative Setup for the Preview
Organizations interested in testing the feature during the preview period must configure it through Entra’s authentication policies.
Microsoft says administrators will need to:
- Enable the Passkeys (FIDO2) authentication method in Entra authentication settings.
- Create a passkey profile specifying the appropriate Windows Hello AAGUIDs (Authenticator Attestation GUIDs).
- Assign the policy to selected user groups participating in the preview.
The configuration allows IT teams to gradually roll out passkeys within an organization before enabling them company-wide.
Part of Microsoft’s Larger Passwordless Strategy
The new capability is the latest step in Microsoft’s broader push to eliminate passwords across its ecosystem.
In May 2025, Microsoft announced that all newly created Microsoft accounts would be passwordless by default, requiring users to sign in through methods such as passkeys, biometric authentication, or hardware security keys.
The company had already introduced passkey support for personal Microsoft accounts in 2024, alongside updates to Windows 11 version 22H2, which included a built-in passkey manager integrated into Windows Hello.
Microsoft’s identity platform—now branded as Microsoft Entra—plays a central role in enterprise identity and access management across cloud services including:
- Microsoft 365
- Azure services
- Third-party SaaS applications integrated through identity federation
By embedding passkey authentication directly into Windows sign-ins, Microsoft aims to simplify adoption of phishing-resistant authentication across corporate environments.
Rising Pressure to Replace Passwords
The move comes amid growing cybersecurity pressure to replace password-based authentication. According to industry reports, the majority of enterprise breaches begin with stolen or compromised credentials, often harvested through phishing campaigns or reused across multiple services.
Passkeys, backed by standards from the FIDO Alliance and the World Wide Web Consortium, are increasingly being adopted by major technology companies.
Platforms including Apple, Google, and Microsoft have all rolled out passkey support in recent years as part of a broader industry effort to phase out passwords entirely.
Outlook
As organizations continue to face sophisticated phishing and credential-theft campaigns, Microsoft’s integration of passkeys into Windows sign-in workflows could accelerate enterprise adoption of passwordless security models.
If widely deployed, Entra passkeys may significantly reduce reliance on passwords across corporate environments—potentially closing one of the most persistent attack vectors in modern cybersecurity.
