Microsoft expands passkey support

Microsoft said on May 7 that it is widening passkey support across both consumer and enterprise identity products while tightening the recovery and fallback paths that can let attackers bypass stronger sign-in methods. The push includes passkeys in Microsoft Password Manager for consumer accounts and planned passkey support for Microsoft Entra External ID, the company’s customer identity product. (microsoft.com) Microsoft also said it is reducing reliance on passwords, SMS codes and other phishable methods as part of a broader passwordless effort. The announcements were published in Microsoft security and Entra blog posts tied to World Passkey Day. (techcommunity.microsoft.com) ### Where is Microsoft adding passkeys now? Microsoft said consumer users can now save and sync passkeys across devices signed in with a Microsoft account through Microsoft Password Manager, with iOS and Android support rolling out through Microsoft Edge. (biometricupdate.com) Microsoft’s Edge product page says passkeys are stored in Microsoft Password Manager and can sync across Windows devices logged in with a personal Microsoft account, with availability on iOS as well. Biometric Update reported on May 14 that Microsoft also plans to release passkeys for Microsoft Entra External ID in late May. That product is used by companies building customer-facing apps and sign-in flows, extending passkey support beyond workforce accounts into consumer and business-customer identity systems. (microsoft.com) ### Why is Microsoft talking about recovery and fallback methods at the same time? Microsoft said in a May 7 Entra blog post that passkeys “aren’t the finish line” if accounts still keep weaker backup methods attached. The company identified three gaps it said attackers still exploit after passkeys are deployed: phishable sign-in methods, dormant credentials left on accounts, and weak recovery channels. (microsoft.com) The same post said passwords, SMS codes and push notifications remain vulnerable as long as users can still authenticate with them. Microsoft said recovery is another weak point because helpdesk-led processes and knowledge-based questions can be manipulated through social engineering, SIM swaps and deepfakes. (biometricupdate.com) ### How is Microsoft changing account recovery? Microsoft’s account recovery documentation says the company is replacing manual helpdesk-led recovery in some enterprise scenarios with automated identity proofing. The system is designed for cases where users lose all registered authentication methods, such as after a lost or stolen device. (techcommunity.microsoft.com) Microsoft said account recovery in Entra ID uses government-issued identification, biometric verification, Microsoft Entra Verified ID and Face Check, together with third-party identity-verification providers. The company said that approach is intended to re-establish trust in a user’s identity before allowing new authentication methods to be registered. (techcommunity.microsoft.com) ### What is Microsoft saying about the security case for passkeys? Microsoft said passkeys are phishing-resistant because they use a private key stored on the user’s device and only work for the site or app where they were created after the user unlocks them with biometrics or a PIN. Microsoft’s Entra documentation says passkeys are built on FIDO standards and use origin-bound public-key cryptography, which the company says prevents credentials from being replayed or handed to a fake site. (learn.microsoft.com) Vasu Jakkal and Nadim Abdo wrote in Microsoft’s May 7 security blog that hundreds of millions of users already sign in with passkeys every day across OneDrive, Xbox and Copilot. Ankur Patel wrote in the Entra blog that Microsoft measures consumer sign-in success at 95% for passkeys versus 30% for legacy methods, and that passkey sign-ins are 14 times faster than password-plus-code multifactor authentication. (learn.microsoft.com) ### What changes for companies using Entra? Microsoft’s Entra documentation says passkeys already support workforce sign-in to Microsoft Entra ID and Windows 11 resources, including single sign-on to cloud and on-premises systems. The planned Entra External ID release extends that model to customer accounts used in external applications. (microsoft.com) Microsoft also said consumer and enterprise identity platforms share a common foundation, and that improvements in registration flows, error handling and cross-device sync for Microsoft account users flow into Entra ID and Entra External ID. That means enterprises adopting passkeys will also need to account for how recovery, credential removal and method registration are handled when weaker options are withdrawn. (microsoft.com) ### What happens next and when? Late May 2026 is the next named milestone in Microsoft’s rollout. Biometric Update said Microsoft plans to release Entra passkeys on Windows for personal or unmanaged Windows devices and passkeys for Microsoft Entra External ID in that period. (learn.microsoft.com) Microsoft’s support and product pages already direct users to save passkeys in Microsoft Password Manager or other synced credential managers, and Microsoft said mobile support through Edge is rolling out soon. The company’s Entra and security documentation pages are the main places where those release details and recovery changes are being published. (support.microsoft.com) (biometricupdate.com) (techcommunity.microsoft.com)