Microsoft Introduces Phishing-Resistant Passkeys for Windows Sign-Ins
Summary
Hide ▲
Show ▼
Microsoft is rolling out passkey support for Microsoft Entra on Windows devices, enabling phishing-resistant passwordless authentication via Windows Hello. The feature is opt-in and will be available in public preview from mid-March through late April 2026 for worldwide tenants, with government cloud environments following in mid-April through mid-May and general availability expected by mid-June 2026. The update extends passwordless sign-in to unmanaged Windows devices—including corporate, personal, and shared devices—addressing a previous security gap where these devices relied on password-based authentication. The passkeys are device-bound and cryptographically secured, preventing theft via phishing or malware, and are stored in the Windows Hello container for authentication via face, fingerprint, or PIN. Admin controls via Conditional Access and Authentication Methods policies enable IT administrators to manage access across different device ownership scenarios.
Timeline
-
10.03.2026 17:27 2 articles · 1mo ago
Microsoft Rolls Out Passkey Support for Microsoft Entra on Windows Devices
Microsoft is rolling out passkey support for Microsoft Entra on Windows devices, enabling phishing-resistant passwordless authentication via Windows Hello. This feature is opt-in and will be available in public preview from mid-March through late April 2026 for worldwide tenants, with government cloud environments following in mid-April through mid-May. The update extends passwordless sign-in to unmanaged Windows devices, including corporate, personal, and shared devices, addressing a previous security gap where these relied on password-based authentication. The passkeys are device-bound and cryptographically secured, preventing theft via phishing or malware, stored in the Windows Hello container for authentication via face, fingerprint, or PIN. Admin controls via Conditional Access and Authentication Methods policies enable IT administrators to manage access across different device ownership scenarios. General availability is expected by mid-June 2026.
Show sources
- Microsoft brings phishing-resistant Windows sign-ins via Entra passkeys — www.bleepingcomputer.com — 10.03.2026 17:27
- Microsoft to roll out Entra passkeys on Windows in late April — www.bleepingcomputer.com — 24.04.2026 21:13
Information Snippets
-
Microsoft is rolling out passkey support for Microsoft Entra on Windows devices, enabling phishing-resistant passwordless authentication via Windows Hello.
First reported: 10.03.2026 17:271 source, 2 articlesShow sources
- Microsoft brings phishing-resistant Windows sign-ins via Entra passkeys — www.bleepingcomputer.com — 10.03.2026 17:27
- Microsoft to roll out Entra passkeys on Windows in late April — www.bleepingcomputer.com — 24.04.2026 21:13
-
The feature is opt-in and will be available in public preview from mid-March through late April 2026 for worldwide tenants, with government cloud environments following in mid-April through mid-May.
First reported: 10.03.2026 17:271 source, 1 articleShow sources
- Microsoft brings phishing-resistant Windows sign-ins via Entra passkeys — www.bleepingcomputer.com — 10.03.2026 17:27
-
The update extends passwordless sign-in to unmanaged Windows devices, addressing a previous security gap.
First reported: 10.03.2026 17:271 source, 2 articlesShow sources
- Microsoft brings phishing-resistant Windows sign-ins via Entra passkeys — www.bleepingcomputer.com — 10.03.2026 17:27
- Microsoft to roll out Entra passkeys on Windows in late April — www.bleepingcomputer.com — 24.04.2026 21:13
-
The passkeys are device-bound and cryptographically secured, preventing theft via phishing or malware.
First reported: 10.03.2026 17:271 source, 2 articlesShow sources
- Microsoft brings phishing-resistant Windows sign-ins via Entra passkeys — www.bleepingcomputer.com — 10.03.2026 17:27
- Microsoft to roll out Entra passkeys on Windows in late April — www.bleepingcomputer.com — 24.04.2026 21:13
-
Each Entra account registers its own passkey per device, and multiple accounts can coexist on a single machine. However, passkeys cannot be synced across devices, requiring separate registration for each account.
First reported: 10.03.2026 17:271 source, 1 articleShow sources
- Microsoft brings phishing-resistant Windows sign-ins via Entra passkeys — www.bleepingcomputer.com — 10.03.2026 17:27
-
To enroll in the public preview, IT administrators must enable the Passkeys (FIDO2) authentication method in Entra's Authentication Methods policies, create a passkey profile with the required Windows Hello AAGUIDs, and assign it to the appropriate groups.
First reported: 10.03.2026 17:271 source, 1 articleShow sources
- Microsoft brings phishing-resistant Windows sign-ins via Entra passkeys — www.bleepingcomputer.com — 10.03.2026 17:27
-
Microsoft will roll out passkey support for phishing-resistant passwordless authentication to Microsoft Entra-protected resources from Windows devices starting late April 2026
First reported: 24.04.2026 21:131 source, 1 articleShow sources
- Microsoft to roll out Entra passkeys on Windows in late April — www.bleepingcomputer.com — 24.04.2026 21:13
-
The feature is expected to reach general availability by mid-June 2026
First reported: 24.04.2026 21:131 source, 1 articleShow sources
- Microsoft to roll out Entra passkeys on Windows in late April — www.bleepingcomputer.com — 24.04.2026 21:13
-
Entra passkeys on Windows will support corporate, personal, and shared devices with admin controls via Conditional Access and Authentication Methods policies
First reported: 24.04.2026 21:131 source, 1 articleShow sources
- Microsoft to roll out Entra passkeys on Windows in late April — www.bleepingcomputer.com — 24.04.2026 21:13
-
Passkeys are created as device-bound credentials stored in the Windows Hello container and authenticate using Windows Hello methods (face, fingerprint, or PIN)
First reported: 24.04.2026 21:131 source, 1 articleShow sources
- Microsoft to roll out Entra passkeys on Windows in late April — www.bleepingcomputer.com — 24.04.2026 21:13
-
The feature expands passwordless authentication support to Windows devices that aren't Microsoft Entra-joined or registered
First reported: 24.04.2026 21:131 source, 1 articleShow sources
- Microsoft to roll out Entra passkeys on Windows in late April — www.bleepingcomputer.com — 24.04.2026 21:13
-
It enables the creation of FIDO2 passkeys stored in a secure local credential container exclusively for Microsoft Entra ID authentication via Windows Hello
First reported: 24.04.2026 21:131 source, 1 articleShow sources
- Microsoft to roll out Entra passkeys on Windows in late April — www.bleepingcomputer.com — 24.04.2026 21:13
-
Passkeys are cryptographically bound to each device and never transmitted over the network, preventing theft via phishing or malware
First reported: 24.04.2026 21:131 source, 1 articleShow sources
- Microsoft to roll out Entra passkeys on Windows in late April — www.bleepingcomputer.com — 24.04.2026 21:13
-
The security gap being addressed previously left personal and shared devices reliant on password-based Microsoft Entra ID authentication
First reported: 24.04.2026 21:131 source, 1 articleShow sources
- Microsoft to roll out Entra passkeys on Windows in late April — www.bleepingcomputer.com — 24.04.2026 21:13
Similar Happenings
Microsoft to Disable NTLM by Default in Future Windows Releases
Microsoft plans to disable the 30-year-old NTLM authentication protocol by default in upcoming Windows releases due to its security vulnerabilities. NTLM, introduced in 1993, has been widely exploited in attacks such as NTLM relay and pass-the-hash attacks. Microsoft is transitioning to Kerberos-based authentication, which is more secure. The company has outlined a three-phase transition plan to mitigate risks and minimize disruption. NTLM has been a fallback authentication method when Kerberos is unavailable, but its weak cryptography and vulnerabilities make it a target for attackers. Microsoft's move aims to enhance security by default in future Windows Server and client versions. NTLM was formally deprecated in June 2024 and no longer receives updates. The transition is part of Microsoft's efforts to move toward a passwordless, phishing-resistant future.
Windows 11 FIDO2 Security Key PIN Prompt Introduced in Recent Updates
Microsoft has introduced a change in Windows 11 versions 24H2 and 25H2 where FIDO2 security keys may prompt users to enter a PIN during sign-in after installing updates released since the September 2025 preview update. This change is intended to comply with WebAuthn specifications, which require user verification when set to 'preferred'. The feature began rolling out with the KB5065789 preview update and was fully deployed with the November KB5068861 update. Organizations can configure WebAuthn settings to discourage PIN usage if desired. FIDO2 security keys provide passwordless authentication, enhancing security against phishing and credential theft.
Microsoft Enforces MFA on Azure Portal Sign-ins for All Tenants
Microsoft has enforced multifactor authentication (MFA) for Azure Portal sign-ins for all tenants since March 2025. This move follows a series of announcements and warnings aimed at enhancing security across Azure services. The enforcement is part of Microsoft's broader strategy to protect user accounts against cyber threats. The enforcement began with Azure Portal sign-ins and will extend to Azure CLI, PowerShell, SDKs, and APIs in October 2025. Microsoft's data shows that MFA significantly reduces the likelihood of account compromise and hacking attempts.