Microsoft Introduces Phishing-Resistant Entra Passkeys for Secure Windows Sign-Ins

Microsoft has announced the rollout of phishing-resistant Entra passkeys for secure Windows sign-ins. This new feature enhances passwordless authentication through Windows Hello on Windows devices.

Overview of Microsoft Entra Passkeys

The support for passkeys is set to enter public preview from mid-March to late April 2026 for global users. This initiative is particularly significant as it also extends passwordless sign-in capabilities to unmanaged Windows devices, previously reliant on traditional password methods.

Key Details About the Rollout

• Public Preview: Mid-March to late April 2026.
• Government Cloud Rollout: Mid-April through mid-May 2026 for GCC, GCC High, and DoD environments.
• Authentication Method: Users can utilize Windows Hello for signing in with facial recognition, fingerprints, or PINs.

According to a statement from Microsoft, “We’re introducing Microsoft Entra passkeys on Windows to enable phishing-resistant sign-in to Entra-protected resources.” This crucial update allows for the creation of device-bound passkeys stored securely within the Windows Hello environment.

Security Enhancements

The passkeys generated are cryptographically linked to the device and are not transmitted over networks. This makes them resistant to theft through phishing or malware attacks. Each Entra account can register its unique passkey per device, and it is important to note that these passkeys are device-specific and cannot be synchronized across different devices.

How to Enroll in Public Preview

IT administrators interested in participating in the public preview must follow several key steps:

• Enable the Passkeys (FIDO2) authentication method in Entra’s Authentication Methods policies.
• Create a passkey profile that includes the necessary Windows Hello AAGUIDs.
• Assign the profile to the appropriate user groups.

The Shift Towards Passwordless Security

In May 2025, Microsoft announced that all new accounts would be passwordless by default. This move aims to protect user accounts from phishing, brute-force, and other cyber attack methods. The facilitation of passkey authentication for personal accounts began a year earlier with the Windows 11 22H2 feature update, which also included a built-in passkey manager.

As cyber threats evolve, the importance of adopting advanced security measures like Microsoft Entra’s passkeys becomes increasingly critical. This initiative represents a significant step in reducing dependence on passwords and enhancing overall digital security for users worldwide.