TL;DR: Passkeys provide a secure way to authenticate while offering a great user experience, making it an attractive option for organisations who want to improve security and mitigate the widespread threat of phishing attacks. There are only a few simple technical prerequisites to roll out passkeys, which adds to their appeal.
Insights
Passkeys with Microsoft: How to authenticate simply and securely
What are passkeys and how to do they work?
Passkeys are an easier and more secure way to log in to your accounts, without the risk and hassle of traditional passwords and MFA.
Unlike passwords, which can be stolen or guessed, passkeys are device-bound credentials stored securely on your computer or mobile device.
They leverage user-presence verification, often using biometric authentication (like fingerprint or face ID) or a PIN, making them almost impossible for attackers to compromise remotely, while providing a great user experience. It’s a win-win.
As David Howell put it,
Passkeys are the primary mitigation for phishing risk. And we know that phishing risk is the dominant cause of security issues currently.
We have a more technical explanation of passkey technology if you want to delve deeper.
What type of organisations should consider passkeys?
Every business can benefit from passkeys, regardless of size. This is because passkeys provide excellent mitigation against phishing, significantly reducing the risk of remote attacks, which remains the most common security threat facing businesses today.
Our Cyber Security Operations Centre (CSOC) can attest to this; we see phishing attacks continuously against customers of all sizes and it’s a serious threat.
Passkeys are an inexpensive way for organisations to improve security, making it a straightforward security recommendation for both SMBs and larger businesses.
How do passkeys differ from standard MFA (Multi-Factor Authentication) methods?
Traditional MFA or 2FA requires a password plus a second step, such as confirming via phone or entering a code from an authenticator app. Passkeys eliminate passwords entirely and require user presence verification providing protection against remote attacks. Modern devices support biometric or PIN authentication, making logins simpler and more secure.
Therefore, passkeys are a step towards “going passwordless”, a security standard advocated by Microsoft and others. This reduces forgotten passwords, weak credentials, and remote attacks, while enabling a smoother experience.
You might be wondering “isn’t a PIN just another form of password?” Great question, but they’re actually very different. A PIN is local to your device and passkey, meaning that a remote attacker couldn’t access your account remotely even if they knew your PIN.
You’d have to be physically holding the device to enter the PIN and authenticate with the passkey, whereas a password can be entered remotely.
While traditional MFA can help mitigate remote phishing threats, it’s still vulnerable to attacks like attacker-in-the-middle (AiTM), whereas passkeys offer robust, phishing-resistant protection.
In short: Passkeys are more secure than passwords and traditional MFA.
What is the passkey user experience like for end-users?
Passkeys offer a strong user experience, making their implementation an easy choice.
Users don’t have to juggle passwords or MFA codes, and IT teams don’t have to field endless password resets. Instead, authentication becomes faster and more secure:
- On Windows devices, users authenticate with Windows Hello for Business by using a PIN, fingerprint, or face ID
- On mobile devices, the Microsoft Authenticator app handles passkeys with just a tap
As David noted,
The end-user experience is actually really good and pretty flawless,” adding, “No one has to do anything different. The worst case is typing in a PIN instead of a password, but the best user experience is a fingerprint or face ID. You get to benefit from Windows Hello for Business if you didn’t already have it.
What does the passkey creation process look like for end users?
Passkey creation couldn’t be much easier for end-users. Watch our video to see how easy it is to create a passkey in Microsoft Authenticator on an iPhone here:
What if a user loses their device?
A common concern is losing a device and therefore access. But with passkeys, only mobile access is affected if a phone is lost, as computer access would remain available via Windows Hello for Business and its separate passkey. IT can just issue a temporary access password (TAP) to help the user set up a new passkey on a replacement device and delete part of the old device’s passkey in Microsoft Entra.
David reassured,
You’re unaffected on your Windows device because your Windows device is using your Windows Hello for Business credential. When you get your new phone, IT would create a TAP on your account… you’d sign in using your email address and the TAP, and then you’d be able to create a passkey on that phone. Then you’re done.
What are the prerequisites for using Microsoft passkeys?
There aren’t many prerequisites to use passkeys with Microsoft 365. If you’re a typical organisation with Microsoft 365 licensing and Windows devices, it’s pretty straightforward to implement passkeys.
David noted,
Most people would have it already. If they have Microsoft 365 Business Premium or above and Windows devices, then they’ve already got the building blocks, and the things they don’t have can be added relatively easily.
What’s required to use Microsoft passkeys with Windows and mobile devices?
Here’s a clear checklist of what’s needed to get started with Windows computers and iOS or Android mobile devices:
| Prerequisite | Windows Computers | Mobile Devices |
|---|---|---|
| Microsoft licensing |
Microsoft 365 Business Premium (or higher) Or lower Microsoft 365 plans with Entra ID P1 licence added on |
|
| OS / Software | Windows 10 / Windows 11 | iOS 17 / Android 15 or later |
| Passkey Provider | Windows Hello for Business | Microsoft Authenticator app |
Can we use Microsoft Passkeys with Apple Mac computers?
While Windows devices are straightforward, Macs may need ‘Platform Single Sign-on for macOS’ for the best experience but that can be added during the passkey project if necessary. The worst-case scenario with Macs is that a user would have to use a mobile passkey on their phone to log into the device.
| Prerequisite | Apple Mac Devices |
|---|---|
| Microsoft licensing |
Microsoft 365 Business Premium (or higher) Or lower Microsoft 365 plans with Entra ID P1 licence added on |
| OS / Software | Platform Single Sign-on for macOS (requires macOS 14 or later) |
What about using passkeys for older devices?
If a user doesn’t have a compatible device , they can always use a physical FIDO key device for passkey. So, you should have options for all users.
How can Chorus help organisations move to passkeys?
Chorus’s security consultants can help you implement passkeys with Microsoft 365. We’ll guide you through the steps, with our experts able to handle the technical deployment, user communications, and ongoing support, ensuring your transition is smooth and your organisation can benefit from strong protection again phishing threats.
Passkeys offer a double-win with stronger security and a better user experience. If you’re ready to protect your organisation from phishing and make login effortless for your users, we’d love to help.
About Chorus
Chorus is a trusted UK MSP (Managed Service Provider) and MSSP (Managed Security Service Provider) specialising in Microsoft IT services and cyber security.
As a Microsoft Solutions Partner and proud member of the Microsoft Intelligent Security Association (MISA), you can be confident in Chorus to help you start your journey to passkeys and better security.
Frequently asked questions about passkeys (FAQs)
Can you explain passwordless authentication as a concept?
Passwordless means users no longer need to enter their password to access company resources, as passwords are considered an insecure credential; instead, passwordless uses strong authentication methods like passkeys (Windows Hello for Business PIN, fingerprint, or face ID), making passwords redundant and significantly reducing phishing risk. While passwords technically still exist on accounts, they become unusable for authentication, so users never need to know or use them.
What this means practically is that you move to using Temporary Access Passwords (TAPs). When a user needs to register a new device or recover access (e.g., after losing a phone), IT issues a TAP.
TAPs are short-lived, strong credentials (valid for up to 8 hours) that allow users to sign in and set up a new authentication method, such as adding their account to the Authenticator app and creating a new passkey.
After the TAP expires it cannot be reused, ensuring security during device recovery or onboarding.
This process also applies to new user onboarding and device provisioning scenarios, making passwordless both secure and user-friendly.
Do users with multiple devices need multiple passkeys if they’re device-bound?
Yes, you’d need a passkey for each device on which a user accesses company resources. For example, a user might need different passkeys for both their laptop and their work phone. However, there might not be as many users as you expect requiring both.
For example, if a work phone is just used for phone calls and SMS, rather than being used to access company managed apps or services that authenticate via your company’s Entra ID authentication, that user wouldn’t necessarily need a passkey on their work phone. So many organisations will just have users who need computer passkeys.
If we already have Windows Hello for Business, what do we need to do to use passkeys on computers?
If you’ve already got Windows Hello for Business rolled out and only need computer passkeys (rather than mobile), then you’ve already got all the prerequisites. You just need to enable it in Conditional Access to start requiring that authentication strength. We can help you with this.
We have users that access company resources on mobile devices, so how do we enable passkeys for them?
There’s just a bit of extra work that needs to be done for mobile devices vs computers. This is because users would need to set up an authenticator app and create a passkey. While that action is simple enough, there are a few device prerequisites like having iOS 17 or Android 15 etc. Fortunately, you don’t need to have Mobile Device Management (MDM) set up or Mobile Application Management (MAM), which makes it straightforward to roll out.
What if some users don’t have phones compatible with passkeys?
If a user doesn’t have a compatible device as it’s too old and unsupported, they can always use a physical FIDO key device for passkey. So, you have options for all users.
Do users that only require a computer passkey for their laptop still need to use an authenticator app?
Users who only require a computer passkey for their laptop do not need to use the Authenticator app, as authentication is handled through Windows Hello for Business on their device. Although they would need to retain their authenticator app for any other services they use traditional 2FA with (e.g. SaaS apps that aren’t managed by the company etc.).
If passkeys are a device-bound credential, how is it some users can use their phones to log into their computers?
This might be the case if someone isn’t able to have a computer passkey for any reason. For example, let’s say they use a Mac and Platform Single Sign-on for macOS wasn’t available. IT may decide to set them up with a passkey on the phone to log into the computer.
While Passkeys are device-bound, users can use their phones to log into computers by establishing a Bluetooth Low Energy connection between the phone and the computer during authentication. This connection validates the user’s physical presence close to the computer, which is a key security feature of the FIDO specification and helps prevent phishing attacks. No special configuration is needed; the process is automatic and works seamlessly for most laptops.