Passkey (FIDO2, CBA, SSH, MFA)

Over the years, we've been familiar with SSH key-based authentication, deploying a restricted set of FIDO2 Security keys, and experimenting with certificate-based authentication (CBA). However, due to complexity and platform limitations, we've faced challenges in widespread implementation, resulting in a reliance on extensive MFA through Authentication Apps or even SMS (considered weak). The introduction of the new Passkey holds the promise of rewriting this history.

• Passwordless logins (SSO)
• Strong second factor of authentication (MFA)
• Cross-platform compatibility (CP, XPLAT)
• Simple onboarding (QR Code)

When enabled in Microsoft 365 (Entra ID, Azure AD), there are some requirements to follow:

• Enabled Authentication method (Passkey | FIDO2 security key) in Entra ID https://entra.microsoft.com/#view/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/~/AdminAuthMethods/fromNav/
• Update to Windows 22H2 + KB5030310 or 23H2 (21H2 = not supported, Edition: Pro, Ent., Edu)
• Enable Windows Hello for Business (PIN, Face, Finger) with a Work-Account
• Let the user configure a new Sign-in method (Security info | My Account) https://mysignins.microsoft.com/security-info

---

Reference:

• Passkey (FIDO2, CBA, SSH, MFA) on LinkedIn
• What the !#@% is a Passkey?