MC920300 – Microsoft Entra: Enablement of Passkeys in Authenticator for passkey (FIDO2) organizations with no key restrictions

cloudscout.one Icon

check before: 2025-03-03

Product:

Entra, Microsoft 365 Apps

Platform:

Online, US Instances, World tenant

Status:

Change type:

Admin impact, Updated message

Links:

Details:

Summary:
Starting late January 2025, organizations with enabled passkey (FIDO2) policy and no key restrictions will have passkeys in the Microsoft Authenticator app. Users can add this via aka.ms/MySecurityInfo, and it's enforced by Conditional Access policy. Organizations preferring not to enable this can impose key restrictions.

Details:
Beginning late January 2025 (previously mid-January), after the General Availability of passkeys in the Microsoft Authenticator app, organizations with the passkey (FIDO2) authentication methods policy enabled with no key restrictions will be enabled for passkeys in the Microsoft Authenticator app in addition to FIDO2 security keys. This update aligns with the broader availability of passkeys in Entra ID, extending from device-bound passkeys on security keys to device-bound passkeys also on user devices. Users who navigate to aka.ms/MySecurityInfo will see "Passkey in Microsoft Authenticator" as an authentication method they can add. Additionally, when Conditional Access (CA) authentication strengths policy is used to enforce passkey authentication, users who don't yet have any passkey will be prompted inline to register passkeys in Authenticator to meet the CA requirements. If an organization prefers not to enable this change for their users, they can work around it by enabling key restrictions in the passkey (FIDO2) policy. This change will not impact organizations with existing key restrictions or organizations that have not enabled the passkey (FIDO2) policy.
[When this will happen:]
General Availability (Worldwide, GCC, GCC High, DoD): Rollout will happen late January 2025 (previously mid-January).

Change Category:
XXXXXXX ... free basic plan only

Scope:
XXXXXXX ... free basic plan only

Release Phase:

Created:
2024-10-29

updated:
2025-01-25

Task Type

XXXXXXX ... free basic plan only

Docu to Check

XXXXXXX ... free basic plan only

MS How does it affect me

XXXXXXX ... free basic plan only

MS Preperations

XXXXXXX ... free basic plan only

MS Urgency

XXXXXXX ... free basic plan only

MS workload name

XXXXXXX ... free basic plan only

summary for non-techies**

XXXXXXX ... free basic plan only

Direct effects for Operations**

User Authentication Disruption
Users may face difficulties in accessing their accounts if they are not prepared to register passkeys, leading to potential login failures.
   - roles: End Users, IT Support Staff
   - references: https://techcommunity.microsoft.com/t5/security-compliance-identity/introducing-passkeys-in-microsoft-authenticator/ba-p/3741230

Increased Support Tickets
The introduction of passkeys without prior user training may lead to an increase in support requests related to authentication issues.
   - roles: IT Support Staff, Help Desk Agents
   - references: https://www.forbes.com/sites/bernardmarr/2023/01/30/the-future-of-passwords-how-passkeys-are-replacing-passwords-in-2023/?sh=5c1c1c1e7b5b

User Experience Confusion
Users may be confused by the new authentication method, leading to frustration and decreased productivity if they are not informed beforehand.
   - roles: End Users, Training Coordinators
   - references: https://www.microsoft.com/security/blog/2023/01/30/introducing-passkeys-in-microsoft-authenticator/

Security Risks
Without proper preparation, users may inadvertently expose their accounts to security risks if they do not understand how to use passkeys effectively.
   - roles: End Users, Security Officers
   - references: https://www.csoonline.com/article/3661235/what-are-passkeys-and-how-do-they-work.html

Documentation Updates
Existing documentation may become outdated or misleading, leading to further confusion among users regarding authentication processes.
   - roles: Documentation Specialists, IT Managers
   - references: https://www.microsoft.com/en-us/security/blog/2023/01/30/introducing-passkeys-in-microsoft-authenticator/

Configutation Options**

XXXXXXX ... paid membership only

Opportunities**

Enhanced User Authentication Experience
The introduction of passkeys in the Microsoft Authenticator app provides users with a more secure and convenient method of authentication, reducing reliance on traditional passwords. This can lead to a decrease in account-related security incidents and enhance overall user satisfaction.
   - next-steps: Communicate the benefits of passkeys to users and provide training sessions to familiarize them with the new authentication method. Prepare support documentation to assist users in transitioning to passkeys.
   - roles: IT Security Manager, User Experience Designer, Help Desk Staff
   - references: https://techcommunity.microsoft.com/t5/security-compliance-identity/introducing-passkeys-in-microsoft-authenticator/ba-p/3709055, https://www.microsoft.com/security/blog/2023/09/20/secure-your-accounts-with-passkeys/

Improved Compliance with Security Policies
With Conditional Access policies enforcing passkey registration, organizations can ensure higher compliance with security protocols, minimizing the risk of unauthorized access. This aligns with regulatory requirements for data protection and enhances the organization's security posture.
   - next-steps: Review and update existing security policies to integrate passkey requirements. Conduct audits to ensure compliance with the new authentication methods and adjust training for compliance teams accordingly.
   - roles: Compliance Officer, IT Security Manager, Risk Management Officer
   - references: https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/overview, https://www.microsoft.com/security/blog/2023/10/01/the-future-of-passwordless-authentication/

Reduction in Support Costs Related to Password Resets
By enabling passkeys, organizations can significantly reduce the number of password reset requests, as users will rely less on passwords. This can lead to lower operational costs for IT support teams and improved productivity for users.
   - next-steps: Analyze current support ticket data related to password resets to establish a baseline. Prepare a communication strategy to inform users about the transition to passkeys and monitor support ticket trends post-implementation.
   - roles: Help Desk Staff, IT Operations Manager, Cost Management Analyst
   - references: https://www.forbes.com/sites/bernardmarr/2023/10/15/the-benefits-of-passwordless-authentication-in-business/?sh=6c5e5c5a4c6d, https://www.cio.com/article/364674/how-passwordless-authentication-can-reduce-it-support-costs.html

Potentional Risks**

XXXXXXX ... paid membership only

IT Security**

XXXXXXX ... paid membership only

explanation for non-techies**

XXXXXXX ... free basic plan only

** AI generated content. This information must be reviewed before use.

a free basic plan is required to see more details. Sign up here


A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.



change history

DatePropertyoldnew
2025-01-25MC Last Updated10/28/2024 23:50:432025-01-24T19:08:47Z
2025-01-25MC MessagesBeginning mid-January 2025, after the General Availability of passkeys in the Microsoft Authenticator app, organizations with the passkey (FIDO2) authentication methods policy enabled with no key restrictions will be enabled for passkeys in the Microsoft Authenticator app in addition to FIDO2 security keys. This update aligns with the broader availability of passkeys in Entra ID, extending from device-bound passkeys on security keys to device-bound passkeys also on user devices. Users who navigate to aka.ms/MySecurityInfo will see "Passkey in Microsoft Authenticator" as an authentication method they can add. Additionally, when Conditional Access (CA) authentication strengths policy is used to enforce passkey authentication, users who don't yet have any passkey will be prompted inline to register passkeys in Authenticator to meet the CA requirements. If an organization prefers not to enable this change for their users, they can work around it by enabling key restrictions in the passkey (FIDO2) policy. This change will not impact organizations with existing key restrictions or organizations that have not enabled the passkey (FIDO2) policy.
[When this will happen:]
General Availability (Worldwide, GCC, GCC High, DoD): Rollout will happen mid-January 2025.
Beginning late January 2025 (previously mid-January), after the General Availability of passkeys in the Microsoft Authenticator app, organizations with the passkey (FIDO2) authentication methods policy enabled with no key restrictions will be enabled for passkeys in the Microsoft Authenticator app in addition to FIDO2 security keys. This update aligns with the broader availability of passkeys in Entra ID, extending from device-bound passkeys on security keys to device-bound passkeys also on user devices. Users who navigate to aka.ms/MySecurityInfo will see "Passkey in Microsoft Authenticator" as an authentication method they can add. Additionally, when Conditional Access (CA) authentication strengths policy is used to enforce passkey authentication, users who don't yet have any passkey will be prompted inline to register passkeys in Authenticator to meet the CA requirements. If an organization prefers not to enable this change for their users, they can work around it by enabling key restrictions in the passkey (FIDO2) policy. This change will not impact organizations with existing key restrictions or organizations that have not enabled the passkey (FIDO2) policy.
[When this will happen:]
General Availability (Worldwide, GCC, GCC High, DoD): Rollout will happen late January 2025 (previously mid-January).
2025-01-25MC MessageTagNamesAdmin impactUpdated message, Admin impact
2025-01-25MC SummaryStarting mid-January 2025, organizations with enabled passkey (FIDO2) policy and no key restrictions will have passkeys in the Microsoft Authenticator app. Users can add this via aka.ms/MySecurityInfo, and it's enforced by Conditional Access policy. Organizations preferring not to enable this can impose key restrictions.Starting late January 2025, organizations with enabled passkey (FIDO2) policy and no key restrictions will have passkeys in the Microsoft Authenticator app. Users can add this via aka.ms/MySecurityInfo, and it's enforced by Conditional Access policy. Organizations preferring not to enable this can impose key restrictions.

Last updated 4 weeks ago

Share to MS Teams

Login to your account

Welcome Back, We Missed You!