Only a few months until Microsoft Entra ID will support device-bound passkeys stored on computers and mobile devices as an authentication method in preview, in addition to the existing support for FIDO2 security keys. This enables your users to perform phishing-resistant authentication using the devices that they already have.
What is a device-bound passkey?
First, let’s zoom in a little on device-bound passkeys. This is a FIDO2 Discoverable Credential that is bound to a single authenticator. For example, FIDO2 security keys typically hold device-bound passkeys as the credential cannot leave the device. Device-bound passkeys have been previously referred to as single-device passkeys.
For this reason, the current FIDO2 security methods policy in Entra ID will be expanded to support the use of passkeys. So, if your organization already uses FIDO2 security keys for phishing-resistant authentication (good job!), it’s time for action!
If your organization requires or prefers FIDO2 authentication using physical security keys only, then please enforce key restrictions to only allow security key models that you accept in your FIDO2 policy. Otherwise, the new preview capabilities enable your users to register for device-bound passkeys stored on Windows, macOS, iOS, and Android.
Key Restriction Policy
You can use the FIDO2 Key Restriction Policy to specifically block or allow types of FIDO2 keys. This is done based on the AAGUID of the key. Most of the FIDO2 security keys have a unique AAGUID that can be used to either block or allow the key. In this example, I’ve blocked one specific key in Entra ID.
Where can I find these GUID’s?
Most of these AAGUID’s can be found on the website of the vendor. For example:
The AADGUID can also be found in the Microsoft Entra admin center under the authentication methods blade of the user.
Graph API can also show the AAGUID when running:
Time for action
Microsoft will use the FIDO2 authentication method UX to integrate the new device-based passkeys into Entra ID. So, when you’re currently using FIDO2 keys, but don’t use the Key Restriction Policy, device-based passkeys will be enabled by default. If you want to control the use of passkeys, make sure you only allow the FIDO keys you’re currently support/allow in your tenant. This will automatically block the device-bound passkeys when it arrives.
Be aware that key restrictions set the usability of specific FIDO2 methods for both registration and authentication. If you change key restrictions and remove an AAGUID you previously allowed, users who previously registered an allowed method can no longer use it for sign-in.