Microsoft expands passkey support, phases out weaker authentication methods

As passkey experts prepare to congregate at the upcoming FIDO Alliance Authenticate APAC 2026 conference in Singapore next month, Microsoft is announcing more moves towards passwordless authentication.

The tech company plans to release two new capabilities in late May: Entra passkeys on Windows, which lets users create and use device-bound passkeys on personal or unmanaged Windows devices via Windows Hello, and passkeys for Microsoft Entra External ID, aimed at customer-facing applications.

For consumers, Microsoft Password Manager now supports saving and syncing passkeys across devices logged into a Microsoft account, with iOS and Android support coming through Microsoft Edge.

Microsoft also tightened account recovery last week, which has historically been an attack vector. A new identity verification flow lets users recover access using government-issued ID and biometric face checks after losing all authentication methods. New verification partners 1Kosmos and Clear join existing providers Au10tix, Idemia and TrueCredential.

Future plans include removing security questions as a password reset option in Microsoft Entra ID starting January 2027. The company cites vulnerability to guessing and social engineering as the reason behind the decision, but a part of the decision is also AI risk. If an account tied to an AI agent is compromised, attackers can use that agent to access systems and execute workflows within existing permissions.

Last year, Microsoft signed the FIDO Alliance’s Passkey Pledge alongside dozens of other organizations, promising to participate in standards work and make other contributions to passwordless authentication.

The company notes that hundreds of millions of users are already using passkeys to sign into Microsoft’s consumer services, including OneDrive, Xbox, and Copilot.

“Inside Microsoft, we’ve eliminated weaker authentication methods and rolled out phishing-resistant authentication, covering 99.6 percent of users and devices in our environment,” it says.

Microsoft executives are due to participate in Authenticate APAC 2026, which runs from June 2nd and 3rd. The event will also host speakers from Thales, Google, Okta, Ping Identity, Rakuten and many more. The event will be followed by a FIDO Member Plenary.

Last week, the FIDO Alliance published its The State of Passkeys 2026 report, showing that more than 5 billion passkeys are now in global use between consumer and workforce environments.

Article Topics

Authenticate Conference  |  biometric authentication  |  biometrics  |  FIDO Alliance  |  Microsoft  |  Microsoft Entra  |  passkeys  |  passwordless authentication