While Microsoft Passkey debuts for personal accounts on Windows, Google and Apple platforms, Google reveals that beyond 400 million accounts have already adopted passkey authentication.
“Abandonment of passwords, where possible, in particular in favor of methods that make use of cryptographic challenges is always excellent news,” he comments Giuseppe DonguAdvisory Operations Leader – Tinexta Cyber: “I believe that passwords have now proven to be a fallacious mechanism, which reflects the human fallacy: having a method that does not rely on the human part, but on the cryptographic capacity of the machinealso allowing a portabilityit is certainly an important improvement.”
Here’s how it works and what the strengths of the new passwordless measure are to make credentials more secure in the era of identity attacks.
Passkey authentication: Microsoft’s announcement for personal accounts
By now we have all developed the awareness that all authentication systems are at risk of vulnerability if they rely only on passwordseven if these represent the first bastion of defense, to be chosen and managed with extreme care.
Now Windows users they can do access to your Microsoft consumer accounts using an access key, to allow users to authenticate with passwordless methods as Windows Hello, FIDO2 security keys, biometrics (facial scans or fingerprints), or device PIN.
Microsoft consumer accounts, for which passkey authentication comes, are the personal accounts for accessing Microsoft services and products such as Windows, Office, 365, Outlook, One Drive, Copilot and Xbox Live.
Microsoft announced new passkey support as part of World Password Day increase security against phishing attacks, with the goal of eliminating passwords altogether in the future.
“It is interesting to follow this further evolution of Microsoft towards a universally passwordless world,” he explains Marco CapelliImplementation Service Operations Director – Tinexta Cyber.
Microsoft had already added support for website and application access keys to Windows. But with the added support for Microsoft accounts, consumers can now easily log in without entering their password.
How to use passkey authentication
To use passkeys for Microsoft accounts, you must first create one and select the first option (facial recognition, fingerprint, PIN or security key).
When you sign in to your Microsoft account, just select “More ways to sign in.” You choose “Face, Fingerprint, PIN, or Security Key,” and then select your previously saved passkey from the list.
The device opens a security window that manages the authentication process with the desired method.
Supported platforms
Then, you need to follow the instructions on your device to finalize the creation of a new passkey.
The platforms currently supported are:
- Windows 10 and later versions;
- macOS Ventura and later versions;
- browser Apple Safari 16 or newer versions;
- ChromeOS, Chrome, Microsoft Edge 109 and later versions;
- iOS 16 and later versions
- Android 9 and later versions.
Google passkey numbers
Google recently announced that passkeys are used by over 400 million BigG accounts, authenticating users more than 1 billion times in the last two years.
“Passkeys are easy to use and resistant to phishing, as they rely only on a fingerprint, face scan or pin, making them 50% faster than passwords,” said Heather Adkins, vice president of security at Google.
The Mountain View giant underlines that the passkeys for authentication on Google Accounts are more popular than traditional forms of two-factor authentication, such as SMS one-time passwords (OTPs) and app-based OTPs combined.
Furthermore, the company stated that is expanding cross-account protectionwhich warns of suspicious events with third-party apps and services linked to a user’s Google account, to include multiple apps and services.
Google should also support the use of passkeys for high-risk users as part of its Advanced Protection Program (App)which points to safeguard people from targeted attacks because of who they are and what they do. Among these, workers and candidates in electoral campaigns, journalists and human rights activists stand out.
While previously the App program used to use hardware security keys as a second factor, will now allow enrollment with any passkey along with hardware security keys. Or it will use them as the only authentication method.
What is passkey and how does it work
The passkeys are ua form of passwordless authentication that uses a cryptographic key pair where the public key is stored on the service provider’s server and the private key is securely stored on the user’s device.
During authentication attempts, a sort of “challenge” is triggered which requires the private key to resolve and confirm the user’s identity. Since the private key is protected by device-level security mechanisms, such as biometrics or PIN, the user only needs to provide this data to log in.
Because passkeys do not involve sharing a password that can be intercepted or stolen, and are typically tied to a particular device, they are inherently resistant to phishing.
Additionally, they eliminate the need for users to remember and enter passwords, which often leads to risky practices, and to be avoided, such as recycling old passwords or using weak passwordseasy to guess.
Finally, passkeys are compatible with different devices and operating systems, making the frictionless authentication process.
“The spread of strong cryptographic authentication mechanisms, undertaken since the introduction of passkeys,” he highlights Fabrizio Vacca, MSS Operations Director Tinexta Cyber, “it seems like a step in the right direction to me. THEThe topic shifts towards the correct protection of endpoints to prevent risks of leakage of private cryptographic components“.
Google adopted passkey in December 2022. Microsoft integrated it into Windows 11 in September 2023.
1Password, Amazon, Apple, Dashlane, Docusign, eBay, Kayak, Microsoft, PayPal, Shopify, Uber and WhatsApp these are some of the other important companies that have adopted passepartouts.
Critical issues still open in passkey authentication
Microsoft synchronizes access keys with other devices, rather than storing separate access keys on each device. This, however, It’s not the safest methodbecause if an attacker manages to access an account, they would be able to synchronize the access keys on their device.
Therefore, to avoid this critical issue, “it remains very important the training and education of any user in the correct management of their credentials and devicesbecause being passwordless does not mean being risk-free,” he confirms Marco Capelli.
