Journey to Passwordless Authentication Might Include Some Bumps

Posted on by Tony Redmond

Synched Passkeys and Risky User Remediation for Passwordless Authentication

One of the Microsoft Entra sessions at the Ignite 2025 conference urged attendees to consider moving to passwordless authentication on the basis that it is a phishing-safe and faster method than many types of multifactor authentication. During the demo, the presenters showed how easy it is to create and use passwordless authentication, including a new feature that allows users to create synched passkeys (that part of the session featured several new words, such as “syncability”)

Synched passkeys are a new preview feature. Essentially, instead of device-bound passkeys linked to a specific piece of hardware, such as a FIDO2 key, the passkeys are synchronized with a trusted identity provider like Apple or Google and are therefore available to multiple devices. According Microsoft, synched passkeys are 14 times faster to authenticate than the traditional multifactor authentication setup such as a password and authenticator. I guess that shouldn’t surprise anyone because it’s logical that software can read and use the passkeys quicker than any user can enter their password and then respond to an authentication challenge.

More information is available in this Microsoft video.

Setting Up Synched Passkeys

The Entra admin center released the UX for synched passkeys in mid-November. I had tried to setup synched passkeys with the Apple iCloud Keychain with my iPhone, but no matter what I did, the process failed at the last step.

After attending the session, I tried again, but this time I set up a new passkey profile. Entra provides a default passkey profile to tenants, and that’s what I had been using (after configuring the profile for synched passkeys). I created a new security group as the target for the passkey profile, added my account to the group, and then created the passkey profile. Everything worked and I now have synched passkeys listed in my authentication methods (Figure 1).

Authentication methods for a user including synched passkeys. Passwordless authentication
Figure 1: Authentication methods for a user including synched passkeys

Anytime I’m asked to authenticate by Microsoft 365 or another Microsoft cloud service on my iPhone, I can use either the device-bound passkey managed by the Microsoft Authenticator app or the synched passkey in my iCloud keychain. The mechanism really works very nicely.

Adjusting Administrative Processes for Passwordless Users

All of which brings me to discuss the administrative arrangements around passkeys and the passwordless scenarios that passkeys enable. Tenant administrators have been dealing with users and the entertaining ways that they interact with passwords for many years. This is a well-worn road that holds little mystery.

Understanding how to deal with passwordless users takes some adjustment. For instance, take the case when Entra ID Protection flags a user account as highly risky and a conditional access policy blocks access to the account (Figure 2). At this point, the account requires remediation for its risky state. Changing the account password is the usual remediation method, but obviously asking someone to change their account password doesn’t work if they don’t use passwords.

Entra ID detects that new users have been flagged as high risk.
Figure 2: Entra ID detects that new users have been flagged as high risk

It can be argued that the whole point of passwordless authentication is that accounts are much less likely to be compromised. Passkeys are phishing-resistant, but it’s still possible that an attacker might gain access through a stolen device. In any case, if you assume that something can’t happen, it will.

In this case, the solution is a recent change to conditional access policy settings to require remediation for risky users. Essentially, you deploy a conditional access policy to detect when an account is in the high-risk state. The policy applies to users with passwords and those who are passwordless and forces the user to prove their identity by signing into the tenant. Those with passwords sign in using whatever authentication method is configured for the account and must reset their password to proceed.

Passwordless users can remediate by going through the authentication process using their preferred method (like passkeys) twice. Once this happens, Entra ID is happy that the user is not compromised or otherwise highly risky and reduces their risk state appropriately (Figure 3).

The state of arisky user is remediated by a conditional access policy.
Figure 3: The state of arisky user is remediated by a conditional access policy

Processes and Procedures Need to Keep Pace

The point here is that as tenant adopt new features and functionality, processes and procedures need to keep pace. In this instance, there’s a compelling logic behind adopting phishing-resistant multifactor authentication for everyone. Remember, any form of multifactor authentication is better than simple passwords and will stop password spray attacks dead. Increasing the strength of multifactor authentication makes your Microsoft 365 tenant secure. If you keep those procedures updated!

Learn how to exploit the data available to Microsoft 365 tenant administrators through the Office 365 for IT Pros eBook. We love figuring out how things work.

2 Replies to “Journey to Passwordless Authentication Might Include Some Bumps”

  1. Synced passkeys are often saved on consumer level Google or Apple accounts. This means access to them is one successful phish away of those accounts, and there is no visibility to these events.

    Synced passkeys are best implemented with always requiring a compliant, enter joined or -registered device alongside them. It works beautifully.

    Reply

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.