Open Menu
×Close Menu
ARTICLE

FIDO2, Passkeys, Passwordless and How to Configure These in Entra ID - Part I

Anton

In this article, I'd like to give my interpretation of what passwordless authentication is. I also briefly touch on all of these buzz words such as "Passkeys" and "FIDO2". I discuss how the MS Authenticator app for iOS and Android can be used for MFA and Passwordless (Passkeys). I then review how to configure FIDO2 and how to enforce this method with Conditional Access Policies.

  • What is Passwordless?
  • What is FIDO, FIDO2 and what is a Passkey?
  • MS Authenticator - More than an App for MFA Push Challenges
  • How to setup a FIDO2 Key with Entra ID
  • How to enforce this Strong Authentication Method via Conditional Access Policies
  • End user FIDO2 security key enrollment

What is Passwordless?

It is literally a way to log in without using a password. That isn't to say you don't have one configured in your Entra ID tenant. But M365 administrators can configure your sign-in experience such that, you may not be asked to input a password to sign-in.

Passwordless allows one to use Passkeys instead of a password to log into web applications and other services.

When I get to a sign-in page for a Microsoft service (say, office.com) and I enter my UPN, I can be forced to use a passwordless authentication method depending on the configurations selected within the security tools like Authentication Strengths and Conditional Access Policies within my Entra ID tenant.

lock

Passwordless options are the most convenient and have the highest level of security. The 4 passwordless options supported by Microsoft are:

  • Windows Hello for Business
  • Microsoft Authenticator
  • FIDO2 Security keys
  • Certificate-based authentication

 

What is FIDO, FIDO2 and what is a Passkey?

FIDO

FIDO stands for "Fast Identity Online". "FIDO" is also the name for several published specifications/standards for user authentication. Public key cryptography techniques are leveraged to provide this phish-resistant authentication.

FIDO2

FIDO2 is another published standard but FIDO2 also incorporates W3C's (another organization of standards) "Web Authentication (WebAuthN) specification". Again, underlying techniques are public key cryptography.

What is a Passkey

A Passkey is a phish-resistant credential that replaces passwords. It is based on FIDO standards and so, a passkey is a pair of cryptographic keys and they are unique to each online service. My FIDO2 USB stick looking thing and my Mobile phone become my Passkeys and I use them to log into online services.

You must first enroll your passkey with the online service (i.e., Entra ID) which involves proving and verifying possession of the physical key. After enrolling, you then use this passkey to authenticate. This is where

Passkeys use cryptographic hardware elements and biometric capabilities of your phone or FIDO2 key. Ask Leo does a fantastic job explaining asymmetric key cryptography in this video and how the communication flows happen and highly recommend watching the magic behind the scenes of Passkeys.

1706886665560

/ˈpasˌkēs/ noun - Based on FIDO standards, passkeys are a replacement for passwords that provide faster, easier, and more secure sign-ins to websites and apps across a user’s devices. Unlike passwords, passkeys are always strong and phishing-resistant. Passkeys simplify account registration for apps and websites, are easy to use, work across most of a user’s devices, and even work on other devices within physical proximity.

FIDO Alliance

Fido Alliance is an open industry association with a focused mission: reduce the world’s reliance on passwords

Let's consider an analogy: Perhaps there were a lot of car accidents at intersections at some point in time because every city or country had a different way of representing the symbol to "STOP". Then, the world agreed on a standard and decided STOP signs will always be red and octagonally shaped.

FIDO Alliance came together to come up with a standard, secure way of authenticating and getting rid of passwords. A lot of different vendors need to come together to make their technologies/products work together to come up with this new standard.

The FIDO Alliance leadership is comprised of executives from the biggest technology companies in the world: Google, Microsoft, Intel, Yubico and so on. These software and hardware vendors have come together to develop a secure standard way for authenticating.

1706883620312-1

MS Authenticator - More Than an App for MFA Push Challenges

The MS Authenticator mobile application on iOS and Android devices is the application that serves as our verification method for a multifactor authentication event. For example, unlike the scenario described above, if I did get to a sign-in page that prompted me for a password after entering my UPN, my MFA request would be sent to my mobile device where I can satisfy the challenge (i.e., enter the number I see on the computer screen "Proof-of-presence challenge").

But the MS Authenticator app can also be configured by Admins, and used by end users as a passwordless authentication method - or a passkey. The end user would again, input their UPN and after Home Realm Discovery (HRD) determines which Entra ID tenant they need to sign in to, Entra ID will detect that the user has a "strong credential" set up and the Strong Credential flow begins. Instead of inputting a password, the user is sent a push notification (proof-of-presence challenge) and then enter their biometric or PIN. Then the asymmetric cryptography stuff begins it's magic behind the scenes.

Share This

Call Us

1.866.328.5538

© 2025 BULLETPROOF, a GLI Company Headquarters