You are here: Home / Enhance Multi-Factor Authentication with Microsoft Entra’s new Passkey feature

Multi-factor authentication, or MFA, is one of the most impactful technologies an organisation can implement to thwart would-be attackers from gaining access to an environment, after all, most attackers don’t hack-in, they log-on.  

Statistics tell us that deploying MFA to an account can lower its chances of compromise by 99.2%. Microsoft Entra’s native MFA solution is a market leader in the security space, not least because of how tightly integrated it is with Conditional Access. But not all MFA methods are equally as secure.  

Attackers have been cleverly constructing techniques to try and get around the huge obstacle that MFA proves to be for them. Sim swapping, for example, means that an attacker will aggressively takeover your registered phone number, and then intercept one-time passcodes being sent via SMS or phone call. Even if an organisation phased out these methods in favour of using Microsoft’s Authenticator application, attackers have also been known to swamp a user’s phone with notifications, with the user eventually getting so fed up with the bombardment, and thinking there’s some kind of IT problem happening, they’ll just hit “approve” to make their phone stop beeping. This is called MFA fatigue. Either of these techniques could be used to traverse the security boundaries your organisation has put in place.  

A well-known, and very secure way or providing additional authentication is using FIDO2 keys – normally a small USB fob that has been cryptographically linked to an Entra ID account. By inserting the fob when prompted, this gives the assurance required to the authentication process to grant access to the resource. This is incredibly secure, but critics would say that the fobs are expensive, easy to lose, misplace, or worse – forget to take with you in the first place. To help address this, Microsoft recently enabled passkeys in the Microsoft Authenticator app. How does this help bridge the gaps identified above? 

A passkey in this context is just like a FIDO2 fob. It’s a software powered security device stored securely in the hardware of the iOS or Android device being used. Microsoft developed this solution in partnership with Apple and Google to ensure the most seamless experience. During a logon attempt after entering a valid username, the authentication service will then ask the user to choose a method of passkey sign-in; iPhone, iPad, or Android device, or a security key (A FIDO2 fob described above). Once the former option is chosen, users will be presented with a QR code: 

The user would then open the Camera app on their device, point the camera to the QR code n the screen, then be prompted to biometrically confirm their identity via the Microsoft Authenticator app to complete the authentication process. Note, this QR code is useless to anybody without the passkey on their device, so an attacker would require the username, the unlocked device, access to the Microsoft Authenticator app (which can also be controlled via its own security rules) and to be able to pass a live biometric check before access could be granted. This is one of the easiest ways to implement a strong, resilient, phishing-proof MFA capability in an organisation, and can be used to protect access to apps, M365, Azure and more. 

This comes with the added assurance that most users would already have access to their phones, and less likely to lose or misplace their entire phone as opposed to a small USB fob. People generally realise very quickly when their phone is out of sight. It also means that any organisation that currently distributes and/or manages devices for their company has most of the pieces in place to roll this out quickly, with no additional hardware costs. A small amount of user education, and you could be up and running in minutes.  

This feature is currently in preview, and you can read more about it here. As always, if you have any questions, or need any help or guidance on how to use any of these features, please reach out to your Quorum Cyber contact, or get in touch with me at [email protected].