Entra ID Passkey

Due to the ever-increasing number of hacker attacks, it is now essential to take further account security measures to protect accounts from unauthorized intrusion. One measure published by Microsoft at the beginning of the year is Entra ID Passkey.

Entra ID 

Microsoft Entra ID is the new name for the former Azure Active Directory (Azure AD). This renaming marks Microsoft's goal to unite identity and access management solutions under one roof. Entra ID retains the core features of Azure AD, such as single sign-on (SSO), multi-factor authentication (MFA) and conditional access, but adds new security services. This is part of the larger Microsoft Entra portfolio, which also includes Verified ID and Permissions Management, and provides a comprehensive solution for modern security challenges.

https://learn.microsoft.com/de-de/entra/fundamentals/new-name

Passwordless login  

A passwordless login is a login that, as the name suggests, is possible without a password. For some time now, there have been options such as web authentication, the Microsoft Autenticator or hardware tokens that issue a unique code that must be entered. Each of these options has its advantages and disadvantages. One disadvantage of the code-specific login options is that they are phishable and can therefore be unintentionally passed on by the user to an attacker posing as a company administrator. However, even if other code-specific login options are phishable, they help with thorough user training to protect accounts from unauthorized access.

In order not to lose the connection to the employees who are to use such login options, it is necessary that these are convenient solutions. Despite the convenient solution, the login option should be as secure as possible. The Fast IDentity Online 2 (FIDO2) key in particular offers this with the current technology.

https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-passwordless#fido2-security-key-providers

The FIDO2 keys offer the advantage that they can be inserted into the PC or laptop like a USB stick and used to authenticate the person in question. It is therefore not possible to provide a one-off code or even a password and the account is completely protected against unauthorized access. In addition, it does not send any sensitive information due to its hardware-bound nature. Microsoft has published a list of supported authentication methods in a Microsoft Learn post.

https://learn.microsoft.com/en-us/entra/identity/authentication/concept-fido2-hardware-vendor

Passkey

The FIDO Alliance, which is the company behind FIDO, defines Passkey as follows: “Based on FIDO standards, passkeys are a replacement for passwords that provide faster, easier, and more secure sign-ins to websites and apps across a user’s devices. Unlike passwords, passkeys are always strong and phishing-resistant.

Passkeys simplify account registration for apps and websites, are easy to use, work across most of a user’s devices, and even work on other devices within physical proximity.“

Passkeys are an add-on to the FIDO2 standard and are intended to make it easier for users to use by not having to pair each authenticator with a user account.

Functionality FIDO2 Key

https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-passwordless#fido2-security-key-providers

In the illustration shown, published by Microsoft, you can see exactly how a FIDO2 key works.

First of all, the user must insert the FIDO2 key into the computer.
In the next step, Windows recognizes the FIDO2 key
Now that Windows has recognized the key, it can send an authentication request to Microsoft Entra ID
Microsoft Entra ID sends back a nonce.
Next, the user performs a gesture to unlock the private key. This private key is stored in the FIDO2 security key's secure enclave.
Now the nonce is signed with the private key
The primary refresh token (PRT) with the signed nonce is sent to Microsoft Entra ID
The signed nonce is verified by Microsoft Entra ID using the FIDO2 key
If the verification is successful, Entra ID returns the PRT and thus grants access to local resources

Organization-wide activation of Entra ID Passkey

Step 1

Open the item "Policies", which is located under "Manage" and click on "FIDO2 security key".

Step 2

In the next step, there is the option of setting the FIDO2 key for all users ...

... or only for certain users. If the key should only be available for a selected group, e.g. to test it, then click on "Add group" to select the respective user.

Important, please note that only security groups are supported for this selection.

Note

Advanced settings can be made under the "Configure" tab.

Organization-wide activation of Entra ID Passkey in Microsoft Authenticator

Please note that the settings in the "Configure" tab are as follows:

Allow self-service set up: Yes
Enforce attestation: No
Enforce key restrictions: Yes
Restrict specific keys: Allow
“Select Microsoft Authenticator (preview) if the checkbox is displayed in the admin center. This setting automatically populates the Authenticator app AAGUIDs for you in the key restriction list. Otherwise, you can manually add the following AAGUIDs to enable the Authenticator passkey preview:
- Authenticator for Android: de1e552d-db1d-4423-a619-566b625cdc84
- Authenticator for iOS: 90a3ccdf-635c-4729-a248-9b709135078f “ ~
https://learn.microsoft.com/de-de/entra/identity/authentication/how-to-enable-authenticator-passkey

Add passkey

If a different window appears, this must be confirmed with "Next".
Login with your account where you want to link your key on this side: Microsoft Azure