Entra Synced Passkeys and Passkey Profiles

Key Concepts

• Passkeys: A passwordless authentication method that uses cryptographic key pairs to verify user identity.
• Synced Passkeys: Passkeys that are synchronized across multiple devices within a specific ecosystem (e.g., Apple iCloud Keychain, Google Password Manager).
• Device-Bound Passkeys: Passkeys that are stored and accessible only on a single device.
• Entra ID (formerly Azure AD): Microsoft's cloud-based identity and access management service.
• Authenticator App: Mobile applications (like Microsoft Authenticator) that can store and manage passkeys.
• Attestation: A security feature where the passkey includes metadata proving its origin from a trusted hardware security key or a trusted platform.
• FIDO Alliance Metadata Service (MDS): A service that provides metadata about FIDO authenticators, including attestation certificates.
• Passkey Profile: A configuration within Entra ID that defines the settings and policies for passkey usage.
• Ecosystem: A collection of devices and services that share a common platform or provider (e.g., Apple ecosystem, Google ecosystem).

Synced Passkey Support in Entra ID

This video details the introduction of synced passkey support in Entra ID, highlighting its benefits for both organizations and users, and explaining how it differs from previous device-bound passkey implementations.

Benefits of Passkeys

Passkeys are gaining prominence in security discussions due to their significant advantages:

• Convenience: Users can authenticate by simply scanning a QR code or using proximity-based methods (Bluetooth, NFC, physical connection), eliminating the need to remember complex passwords.
• Phishing Resistance:
  • Proximity Requirement: Passkeys require a physical connection or proximity to the device they are stored on, preventing remote attackers from tricking users into authenticating to distant machines.
  • Domain Matching: Passkeys are tied to specific domains. If a user attempts to authenticate to a fake URL (e.g., rn-microsoft.com instead of microsoft.com), the passkey will not match, thus preventing phishing attacks based on spoofed websites.

Evolution of Entra ID Passkey Support

Previously, Entra ID supported passkeys primarily through the Microsoft Authenticator app on mobile devices. This implementation was device-bound, meaning the passkey was stored only on that specific device and did not synchronize.

• Device-Bound Passkey Characteristics:
  • Storage: Resided solely within the Authenticator app on a single device.
  • Synchronization: No synchronization across devices.
  • Security Benefit: Organizations had clear visibility into where the key was stored.
  • Convenience Constraint: If a user lost their phone or acquired a new one, they would have to re-create their passkey, potentially leading to credential recovery processes.

This contrasts with consumer passkeys (e.g., for Microsoft accounts or other third-party services), which are typically synchronized within an ecosystem to ensure availability across multiple devices.

Consumer Passkey Synchronization Models

• Apple Ecosystem: Passkeys created on an iOS device are synchronized via iCloud Keychain to other Apple devices (iPad, Mac) signed in with the same Apple account.
• Google/Android Ecosystem: Passkeys created on an Android device or within the Chrome browser are synchronized using the Google Password Manager to other Android devices or Chrome browsers signed in with the same Google account.

These synchronized passkeys are ecosystem-specific and do not synchronize between different ecosystems (e.g., Apple to Google). This "synced passkey" approach offers greater flexibility and convenience for users.

Entra ID's New Synced Passkey Support

Entra ID is now introducing support for synced passkeys, allowing organizations to leverage this more convenient authentication method for their users.

• Implementation: This is managed through passkey profiles configured within Entra ID's authentication methods policies.
• Configuration:
  • Authentication Methods > Policies > Passkey: Administrators can enable and configure synced passkey support.
  • Public Preview: The feature is currently available in public preview.

Passkey Profiles and Policies

Entra ID utilizes passkey profiles to define how passkeys can be used.

• Default Passkey Profile (Pre-Synced Support):

  • Enforces Attestation: Requires the passkey to include metadata proving its origin from a trusted source (e.g., a hardware security key or a trusted platform). This is crucial for verifying the authenticity of the passkey.
  • Device-Bound: Only allows passkeys stored on the local device (e.g., via Microsoft Authenticator).
  • Targeting: Can be configured to target specific user groups (e.g., "All Users").
  • Attestation Explained: Attestation means the passkey includes a certificate chain that traces back to a trusted root certificate published to the FIDO Alliance Metadata Service (MDS). This ensures the passkey is not from a compromised or untrusted source.

• Creating a New Synced Passkey Profile:

  • Profile Name: A descriptive name (e.g., "Synced Profile").
  • Attestation: Cannot enforce attestation for synced passkeys. This is a key difference from the default device-bound profile.
  • Type: Select "Synced" to enable synced passkey functionality.
  • Targeting: Can be assigned to specific user groups (e.g., a pilot group, task-based workers).
  • User Choice: Users belonging to multiple profiles (e.g., "All Users" and a specific "Synced" group) can choose to create either a device-bound or a synced passkey.

Balancing Security and Convenience

Organizations can strategically use different passkey profiles to balance security and convenience:

• High-Privilege Users: It is recommended to enforce device-bound passkeys with attestation for high-privilege users to ensure the strictest control and visibility over their authentication methods.
• Regular/Task-Based Workers: Synced passkeys can be offered to these users for increased convenience and flexibility, especially when they use multiple devices.

User Experience with Synced Passkeys

When a user is enabled for synced passkeys and attempts to sign in:

1. Sign-in Options: The user can choose to sign in using a passkey without typing their username.
2. Device Selection: They will be prompted to use their iPhone, iPad, or Android device.
3. QR Code Prompt: A QR code is displayed on the authentication screen.
4. Device Scan: The user scans the QR code using their mobile device's camera.
5. Connection Establishment: A Bluetooth connection is established between the device and the authentication service.
6. Passkey Selection: The user is presented with a list of available passkeys that match the domain. Only relevant passkeys are shown, preventing phishing.
7. Biometric Authentication: The user is prompted for a biometric verification (face, fingerprint) or PIN on their device to confirm their identity. This combines "something you have" (the device) with "something you are" (biometric).
8. Successful Sign-in: The user is signed in securely.

The experience is designed to be seamless, with the system automatically filtering passkeys to prevent users from being tricked by fake URLs. The user can choose between passkeys stored in their device's native wallet (e.g., iOS Wallet) or third-party options.

Conclusion

Entra ID's new synced passkey support provides organizations with a powerful tool to enhance user authentication. By allowing administrators to define and assign passkey profiles, organizations can tailor their security posture, offering the convenience of synced passkeys to a broader user base while maintaining strict controls for privileged accounts. This feature represents a significant step towards a more secure and user-friendly passwordless future.