A passkey is a modern, passwordless authentication method based on public-key cryptography. Instead of entering a password, you authenticate using a hardware device storing your passkey or an application on your mobile device using your fingerprint, face recognition, or your device PIN. Passkeys eliminate the need for passwords and significantly reduce the risk of phishing, credential theft, and MFA fatigue attacks.
Key Benefits and Features
Benefits
- Easy to Set Up: The instructions for setting up passkeys are simple and user-friendly.
- Fast Login: Logging in with passkeys is quicker than using traditional passwords. Plus, you don't have to remember any passwords or wait for text messages.
- Highly Secure: Passkeys are one of the most secure ways to log in. They are phishing-resistant because they are tied to a legitimate website or application.
Features
- Passkeys use a private and public key pair:
- The private key stays securely on your device
- The public key is stored in Microsoft Entra
- Authentication occurs when your device signs a challenge using the private key
- Microsoft Authenticator allows passkeys to be stored and used directly from your mobile device
Passkey vs. Hardware Security Key
Passkeys and hardware security keys are closely related but not identical.
| Feature |
Passkeys (Authenticator / Device) |
Hardware Security Keys (FIDO2) |
| Storage Location |
Stored on device (phone, OS, Authenticator app) |
Stored on physical key (USB/NFC/Bluetooth) |
| Portability |
Can sync across devices (if enabled) |
Requires physical possession of the key |
| Authentication |
Biometric or device PIN |
PIN + touch/tap of physical key |
| Security Level |
Very high (phishing-resistant) |
Very high (hardware-bound and phishing-resistant) |
| Use Case |
General workforce, mobile-first users |
High-security users, admins, or restricted environments |
Some hardware security keys can also store passkeys, acting as a secure, device-bound authentication method.