Microsoft 365 passkeys – Analysis of sign-ups and logins with passkeys: Best practices from Microsoft 365

TL;DR

• Availability since Q2/2023
• Initial passkey setup seems tedious via the “Security” section in the Microsoft 365 account settings
• No availability on native Microsoft 365 app (Android & Apple)
• Does not work with Safari on Apple ecosystem using Safari, only works with Chrome
• Passkeys only available at login, not at initial sign up for an account (yet)
• Windows Hello provides stable and well-known environment for Windows users
• Microsoft does explicitly not use the term “passkeys” and rather calls it “passwordless”

Introduction

More and more companies from a wide range of industries are stepping into a password-free world and implement passkeys. Through this series of articles, we aim to provide a comprehensive overview of the passkey user experience of those companies. This should enable you to incorporate these findings and enhance your product login accordingly. In each article, we focus on a single company. Today, we dive into Microsoft 365. Passkeys became available for Microsoft 365 accounts in Q2 2023, although they are not called passkeys. The rollout of Microsoft 365 passkeys could pose a counterweight to the currently heavy used two factor authentication via native app (“Microsoft Authenticator”).

_Disclaimer:
‍_{1) Status of the analysisis June 2023. Passkey features are subject to change by companies on an ongoing basis.
2) Note, that we tested the passkeys offered by Microsoft 365 for its online service / website and app. This analysis specifically does not include the way Microsoft synchronizes passkeys as a platform provider
3) Please refer to the use cases to find the devices we used for the analysis.}

‍

Key insights from Microsoft 365 analysis

In this section, we present the most important insights we have gainedfrom the analysis of Microsoft 365 passkeys.

Highlights of Microsoft 365 passkeys implementation

1. Setup and integration with high security focus:

Microsoft 365's passkey implementation places paramount importance on security right fromthe setup phase. To ensure the highest level of protection, users are required to employ two-factor authentication (2FA) using the "Microsoft Authenticator" app. By integrating 2FA, Microsoft 365 provides an additional layer of defense against unauthorized access attempts. This robust security measure significantly mitigates the risk of credential theft or unauthorized logins, thereby fortifying the overall security posture of organizations using Microsoft 365.

2. Single advocacy for passwordless access:

One strength of Microsoft 365's passkey implementation lies in its advocacy for passwordless access, even though need to ou proactively search for it. Through intuitive user interfaces and informative prompts, Microsoft then even encourages users to embrace the passwordless sign in process. With a pop-up window displaying the empowering message, "Break free from your passwords," users are motivated to explore the benefits and convenience of a passwordless future leading to enhanced security and a frictionless authentication experience.

3. Option to completely remove passwords:

In a bold move that demonstrates their commitment to a passwordless future, Microsoft 365 offers users the option to eliminate passwords entirely. This feature enables organizations to embrace passkeys as the sole means of authentication, eliminating the vulnerabilities associated withpassword-based systems. By removing passwords from the equation, organizations can significantly reduce the risk of password-related attacks, such as phishing, credential stuffing, and brute-force attacks. Microsoft's commitment to promoting this passwordless approach not only showcases their dedication to security but also sets the stage for a more seamless and user-friendly authentication experience.

4. Seamless Integration with "Windows Hello" Technology:

Microsoft 365's passkey implementation seamlessly integrates with the trusted"Windows Hello" technology, creating a familiar and comfortable authentication experience. "Windows Hello" is a widely recognized biometric authentication feature in Windows, allowing users to log in using facial recognition, fingerprint scanning, or PINs. By leveraging this technology, Microsoft 365 enables users to set up their passkeys using existing biometric data, fostering convenience and trust.

The integration with "Windows Hello" also offers a seamless transition for users already familiar with this biometric authentication solution. By utilizing familiar biometric data, such as facial recognition or fingerprints, users can authenticate swiftly and confidently, eliminating the need for complex passwords.

Drawbacks of the current Microsoft 365 passkeys implementation

1. No Cross-Platform Passkeys:

The most notable drawback of Microsoft 365's passkey implementation is the absence of support for cross-platform passkeys. Unlike other solutions, they are neither synced, nor can they be created on other devices (not even single-device passkeys on, e.g. a MacBook using Safari or Android smartphone). However, on a MacBook using Chrome, the passkey creation works, as shown in our analysis. But this limitation can be frustrating for users who work across different operating systems, as it restricts the seamless use of passkeys across all their devices. Typical example would be not being able to sync passkeys between your private iPhone and your laptop. The lack of cross-platform compatibility stands out as an uncommon limitation in an increasingly interconnected digital landscape.

2. Lack of Proactive Offer and Cumbersome Passkey Setup:

Another drawback is the absence of proactive encouragement for users to try out passkeys on sign up. Afterwards the process of creating a passkey within Microsoft 365 can be cumbersome, requiring up to seven clicks after a regular login. If users haven't set up Microsoft Authenticator, the number of clicks increases even further. Despite exploring additional sign in methods, users still need tonavigate through multiple options by clicking "Show more options" to utilize the convenient "Windows Hello" feature. This lack of streamlined and intuitive passkey setup may deter some users from embracing this authentication method fully.

3. Insufficient Explanation of Passkey Technology to Users:

Microsoft 365's passkey implementation lacks explicit explanation or documentation regarding the term "passkey" and its underlying technology. Users are not directly informed about the specifics and benefits ofthe passkey authentication method. This absence of clear communication may lead to confusion or apprehension among users who are unfamiliar with the term "passkey". Providing comprehensive and user-friendly documentation already during the sign in process would empower users to make informed decisions and understand the advantages of this authentication method.

Analysis of the login process

To make the analysis of Microsoft 365 passkeys as comprehensive as possible, we tested the login process with several device-browser-combinations. We have recorded the outcomes in the following use cases. To better understand the use cases, please read through the conceptual definitions of passkeys below before jumping into the use cases.

Conceptual definitions of passkeys

Single-device passkey vs. multi-device passkey: Passkeys come in two distinct types whichare single-device and multi-device credentials. Single-device passkeys are tied to a specific device, meaning that the passkey can only be used on the device it was generated on. Multi-device passkeys are the “true” passkeys that can be synced and transferred between devices. This means that users can use any of their devices that support passkeys to authenticate, regardless of whether the credential was created on that specific device. This greatly enhances the usability of passkeys, as users don’t need to enrol each device. However, our analysis found that Microsoft 365 provides single-device passkeys only.

Tested cases

Note that we have only performed the use cases with passkey-ready devices (e.g., no iPhone prior to iOS 16.0, no MacBook prior to macOS Ventura, no Android prior to Android 9, no Windows device prior to Windows 10). Inaddition, we tested the passkey login with an iPhone only in the Microsoft 365 app because the login process in different browsers does not differ regardless of the platform and device. However, we noted that no other platform than Windows 11 allows us to create or use passkeys. Hence, we only tested use cases 1-3 for now.

‍

‍

‍

Initially, on registering on the Microsoft 365 platform we were not able to create a passkey. The prompt asked us to provide our mail address and a conventional password. We could not utilize alternative sign up methods, e.g. using an email magic link or social login like we saw in other examples. However, what we noticed is a strong focus from Microsoft to secure the sign up and login process: Besides common password restrictions like minimum length, different case-sensitivity and adding a special character we were also prompted to change our password “Password123!” because it was too common. After verifying the mail address with a 6-digit code, the sign up process is complete. In general, signing up for an Microsoft 365 account in general is quite straightforward but it utilizes conventional password technology.

Account creation follows the typical Microsoft scheme with no other options than entering a mail address and a password.

‍

‍

As emphasis is still on usage of passwords, Microsoft detects passwords that are too common and denies them. Common rules for passwords in terms of length, altering case sensitivity and special characters also apply here.

‍

After entering a valid password your email address requires a verification with a 6-digit confirmation code.

‍

After completing the uncomplicated sign up process Microsoft 365 advocates its platform to be your centralized account for all relevant needs. Notable however is, that at this point Microsoft did not suggest creating a passkey during the sign up process, like we saw for example at eBay. A passkey creation during the sign up process as an option could further streamline the process as error messages and iterations with the user due to insufficient password requirements can be avoided.

‍

‍

Setting up a passkey for a single device within the Microsoft 365 environment is a process that involves ~12 steps (depending if Microsoft Authenticator is already set-up). It is important to note that the passkey setup in Microsoft 365 requires users to navigate through multiple settings and is not prominently advertised.

‍

‍

To begin the setup process, users need to access their Microsoft 365 account settings. This can be done by clicking on the user profile or avatar, typically located in the top right corner of the screen. From there, users must navigate to the "Account settings" section.

‍

‍

Within the account settings, users need tofind and select the "Security" tab. This step is crucial as the passkey setup is hidden within this section, not immediately visible or easily accessible. Once in the "Security" tab, users can find the option to create a passkey. This may require scrolling or expanding sections to locate the specific passkey settings. Within the“Security” section next step is to click “Advanced security options”.

‍

‍

Doing this for the first time, Microsoft 365 requires you to verify your identity by a two-factor authentication using “Microsoft authenticator”. By doing this, Microsoft 365 again facilitates a secure method of authentication.

‍

‍

‍

After authenticating via Microsoft Authenticator, we arrive at this overview screen for security. The interface looks well-organized, as we are used to from Microsoft 365. However, the steps that were needed to get here are comparatively many. Even now Microsoft 365 does not talk about passkeys but "Add a new way to sign in".

‍

‍

Clicking on “Add a new way to sign in or verify” initiates the process, which typically involves selecting the desired passkey type. The methods available include choosing between biometric authentication (such as facial recognition or fingerprint scanning) or using a physical security key.

‍

‍

Users are then guided through a series of prompts and verification steps to complete the passkey setup. These steps may vary depending on the chosen passkey type and the specific device being used.

‍

‍

‍

‍

Overall, the passkey setup process within the Microsoft 365 environment requires around 12 steps, which is relatively longer compared to some other platforms like eBay. Additionally, it is worth noting that passkey setup is not prominently advertised but rather "hidden" under the "Account settings" - "Security" section.

While the setup process may be slightly more cumbersome and less intuitive, once the passkey is successfully configured, users can enjoy the benefits of passwordless authentication on their single device within the Microsoft 365 ecosystem.

In addition to that, users can even get completely rid of passwords under the option “Passwordless account” and hitting “turn on”. This removes passwords as a log-in method completely and must be confirmed by the authenticator app as well. Microsoft 365 shows, what use of passkeys and two-factor authentication is capable of, making the login for users more secure and convenient (see use case 3)

‍

‍

‍

‍

Microsoft 365 offers a traditional sign in process using email and password. The sign in page provides users with various options:

1. Sign in with Passkey (Windows Hello or Security Key): Users have the option to sign in using a passkey, referred to as "Windows Hello or a security key." This method allows for biometric authentication or the use of a physical security key. Prior setup is required for passwordless access.
2. Sign in with GitHub: Microsoft 365 allows users to sign in using their GitHub account, simplifying access for those who already use GitHub services.
3. Forgot My Username: The sign in page includes a "Forgot my username" option, enabling users to recover their forgotten username by following a step-by-step process.

These sign in options demonstrate Microsoft's commitment to providing users with flexibility in the authentication process. While the primary method remains the traditional email and password combination, users can choose alternative authentication methods, such as passkeys, GitHub integration, or username recovery. This empowers users to select the authentication method that best suits their preferences and needs.

‍

‍

After entering your email address and clicking "Next" in the sign in process, Microsoft 365 prompts users to sign in with Microsoft Authenticator, emphasizing their commitment to a secure login process.

‍

‍

Note: If we chose the option to “remove passwords” entirely during the passkey creation process, we are not given the option to enter a password, committing to a passkey, or GitHub login.

After selecting “Use Windows Hello or security key” we are prompted to the Microsoft device service “Windows Hello”. Here we can choose which account we want to login with or if we want to enter a security key. This triggers “Windows Hello” as a local service on our Windows device, that we are familiar with from e.g., executing an app in administrator mode or initially loggin into Windows after starting the device.

‍

‍

‍

After selecting the correct account Windows starts the authentication via passkey in the “Windows Hello” service. After authentication and clicking “OK” we are successfully signed in to our online Microsoft 365 account.

‍

‍

‍

The passkey flow of Microsoft 365 on a MacBook closely mirrors that of a Windows machine, offering a consistent user experience. The sign-up process is straightforward and involves the following steps:

Create Account: Users begin by providing their necessary information, such as username, email address, and other required details to set up a new Microsoft 365 account. This step is identical to the process on a Windows machine.

‍

‍

Enter Password: Once the account information is submitted, users are prompted to set a password for their Microsoft account. They can choose a strong and secure password to protect their account, just like they would on a Windows machine.

‍

‍

Verify email: After completing the password setup, users are required to verify their email address associated with the account. This verification step helps ensure the security and validity of the account, and it follows the same process as on a Windows machine.

‍

Overall, the passkey flow for Microsoft on a MacBook maintains a consistent and identical sign-up process to that of a Windows machine. Users can create their account, set a password, and verify their email without encountering any visual differences, providing a seamless experience across platforms.

‍

‍

‍

In Microsoft 365, the steps to create a passkey are identical for Windows and Mac devices. Users navigate to their Microsoft 365 account settings and proceed to the 'Security' section. Upon choosing 'Create a new passkey', they follow a set of instructions identical across the operating systems. Important to mention is, however, that being able to create a passkey is dependent on the browser we are using on a MacBook, whereas on Windows, passkey creation worked regardless of the browser. Here, it seems that passkey creation is only possible using Chrome, not on Safari.

‍

‍

In creating the passkeys, we have the same options as on our Windows PC. However noteworthy is, that the device detection does not seem to work properly as we are prompted to “Use your Windows PC” for the “Hello” service, even though we are using a MacBook.

‍

‍

After choosing “Use your Windows PC” (which is still our MacBook) we are redirected to the “Windows service Hello” which is in fact the “Touch ID” service from apple. Apart from using different, OS based services it is similar to the Windows flow. We can choose our desired emai laddress and continue the process.

‍

‍

After verifying our email address, we are asked to authenticate with Touch ID.

‍

After confirming our identity through Chrome, we can name our device tofacilitate a user-friendly tracking of login attempts.

‍

‍

This named passkey is then stored within the security section of Microsoft 365 and can, for later purposes, be removed or monitored.

‍

‍

‍

As seen before in the passkey creation, using Safari on a MacBook does not enable us to login via passkeys. We tried so by hitting “Sign-in options” as we found the option to utilize Windows Hello (or any other authentication service) above.

‍

‍

On Safari however, this option is missing entirely, leaving us with an authenticator app, an email code or an SMS code.

‍

After logging in, we double-checked if the passkey for this account, that we created in use case 5, is active. This concludes that Safari does not support Microsoft 365 passkeys as of now, neither in creating them, nor in utilizing them to sign in.

‍

‍

On Chrome, we get to choose our sign-in method at the login page, giving us three options and already suggesting a passkey login by a clickable link “Sign in with Windows Hello or a security key”.

‍

Hitting “Sign-in options”, we see the option to use Windows hello.

‍

‍

The verification process to sign-in utilizes the stored passkey and is similar to the initial creation.

‍

Conclusion

The introduction of passkeys in Microsoft 365 brings the promise of passwordless authentication. However, the current implementation has limitations and represents a transitional phase. Passkeys are only available on Windows platforms and require tedious setup through the "Security" section in the Microsoft 365 account settings. They are not accessible on native Microsoft 365 apps for Android and Apple devices on its own ecosystem (i.e., Safari, only works with Chrome). Microsoft refers to passkeys as "passwordless" sign in, emphasizing their commitment to moving away from traditional passwords.

While passkeys offer enhanced security and convenience, their availability and usability are still restricted within the Microsoft 365 environment. It is likely that Microsoft 365 will continue to refine and expand passkey functionality in the future, making it more prominent and accessible across devices and platforms.

‍