Authentication: What is a Passkey?

Tags MFA passkey

A passkey is a modern, passwordless authentication method based on public-key cryptography. Instead of entering a password, you authenticate using a hardware device storing your passkey or an application on your mobile device using your fingerprint, face recognition, or your device PIN. Passkeys eliminate the need for passwords and significantly reduce the risk of phishing, credential theft, and MFA fatigue attacks.

Key Benefits and Features

Benefits

  • Easy to Set Up: The instructions for setting up passkeys are simple and user-friendly.
  • Fast Login: Logging in with passkeys is quicker than using traditional passwords. Plus, you don't have to remember any passwords or wait for text messages.
  • Highly Secure: Passkeys are one of the most secure ways to log in. They are phishing-resistant because they are tied to a legitimate website or application. 
     

Features

  • Passkeys use a private and public key pair:
    • The private key stays securely on your device
    • The public key is stored in Microsoft Entra
  • Authentication occurs when your device signs a challenge using the private key
  • Microsoft Authenticator allows passkeys to be stored and used directly from your mobile device

Passkey vs. Hardware Security Key

Passkeys and hardware security keys are closely related but not identical. 

Feature Passkeys (Authenticator / Device) Hardware Security Keys (FIDO2)
Storage Location Stored on device (phone, OS, Authenticator app) Stored on physical key (USB/NFC/Bluetooth)
Portability Can sync across devices (if enabled) Requires physical possession of the key
Authentication Biometric or device PIN PIN + touch/tap of physical key
Security Level Very high (phishing-resistant) Very high (hardware-bound and phishing-resistant)
Use Case General workforce, mobile-first users High-security users, admins, or restricted environments
Some hardware security keys can also store passkeys, acting as a secure, device-bound authentication method.