Passkeys aren’t the finish line: Eliminating fallbacks and fixing recovery

World Passkey Day comes around each year, offering us a moment to pause and think about our strides in moving beyond traditional passwords. It’s also a reminder of the significant journey still ahead. Globally, billions of accounts rely on passkeys for protection, with a vast number of Microsoft users engaging with them daily. Clearly, we’re making headway.

However, simply having a robust sign-in method isn’t enough if attackers find a way to bypass it. The Microsoft Digital Defense Report reveals that AI-powered phishing schemes are achieving a staggering click-through rate of 54%. Threats such as impersonation attacks—deepfakes, SIM swaps, and social engineering aimed at help desks—exploit vulnerable moments when users are locked out, recovering access, or proving their identity to IT. In environments where AI agents can act autonomously for users, a compromised identity means more than just a hacked mailbox; it allows attackers to operate at machine speed.

This landscape highlights three pressing vulnerabilities that organizations must address.

Even with passkeys implemented, a clever attacker still has avenues to exploit:

Gap 1 · Phishable sign-in methods. As long as users still sign in using passwords, SMS codes, or push notifications, these sign-in methods remain exposed.

Gap 2 · Dormant credentials. When passkeys are in place, many accounts retain an unused password or SMS method as a backup. Unfortunately, it’s the attackers who often make use of this backdoor.

Gap 3 · Weak recovery channels. Account recovery typically involves contacting help desks and answering security questions, which can be easily sourced from social media and data compromises. In a world of AI-generated deepfakes, this approach no longer stands as a reliable verification method.

Here’s how we’re tackling these issues.

Over the past year, synced passkeys have emerged as the primary sign-in option for hundreds of millions of Microsoft account holders across various operating systems, devices, and browsers. Our data shows that our consumer users sign in successfully three times more often with passkeys compared to outdated methods (95% versus 30%). Plus, the sign-in process is now 14 times faster than password-and-code multi-factor authentication (MFA). These results aren’t just theoretical—they’re based on real-world data from a diverse cross-section of internet users.

Our identity platforms for both consumers and enterprises share a solid foundation. Every enhancement we apply to user experiences—like streamlining registrations, improving error management, and facilitating cross-device syncing—also benefits Microsoft Entra ID and Microsoft Entra External ID customers. We’re excited to offer these improvements to our enterprise clients for both their teams and external users.

Consider the current sign-in experience for most enterprise users. They input a password, switch to their phone, approve a notification, or type in an SMS code, then switch back to their browser. The situation is even more cumbersome on mobile, needing an alternation between authentication apps and the main app, losing context in the process. Each of these steps introduces points of friction for the user and potential vulnerabilities for attackers.

Synced passkeys—available now for both external and workforce users—completely transform this narrative. By simply tapping a fingerprint or glancing at their camera on any device, users can access their accounts without the hassle of passwords, codes, or switching apps. The passkey syncs across devices via iCloud Keychain, Google Password Manager, Microsoft Password Manager, or other credential management platforms, ensuring functionality wherever users are. This seamless experience also extends to customers through Microsoft Entra External ID, providing out-of-the-box passkey sign-ins for customer-facing applications with no need for custom integration.

Experience signing in with synced passkeys.

Additionally, we are making significant advancements on Windows. Contractors, frontline workers, and BYOD (bring your own device) users have historically relied on passwords and SMS as their main forms of authentication because traditional device enrollment was impractical. Now, with Microsoft Entra passkeys on Windows, users can create a device-specific passkey using Windows Hello—whether through face recognition, fingerprint, or PIN—right on their own device without requiring any specific enrollment or physical token delivery.

Reaching general availability is only a stepping stone; we’re committed to making passkeys the default experience, not simply an option:

• Passkey profiles— Implement group-based passkey policies that define attestation requirements, passkey types, and provider selections based on different user groups.
• Passkey-preferred authentication (preview)— Detects registered methods and prioritises the strongest one for seamless user experience. If a passkey is registered, it appears first for the user.

Passkey profiles for precise administration control.

Synced passkeys offer the easiest solution for most users. For high-privilege roles or sensitive sectors, Microsoft Entra ID continues to support device-bound passkeys, Microsoft Authenticator passkeys, and FIDO2 security keys. The passkey profiles allow admins to implement both systems concurrently in the same tenant.

While implementing passkeys enhances the sign-in process, many user accounts still have a password or SMS method as a backup. As long as these credentials exist, they remain a target for attacks. Admins now have the ability to entirely remove these phishable credentials from user accounts. At Microsoft, we’ve successfully rolled out phishing-resistant authentication to 99.9% of our users and devices, eradicating weaker sign-in methods.

Important update: Starting March 2027, security questions for password resets in Microsoft Entra ID will be phased out. If your organization still uses knowledge-based recovery, it’s time to transition to high-assurance account recovery.

Eliminating phishable credentials is a crucial step, but it raises a significant question. Synced passkeys are designed to manage the most common lockout situations; for instance, if one device is lost, the passkey remains accessible on other devices. However, users with device-bound passkeys— including those relying on FIDO2 security keys and Windows Hello—lack cross-device syncing. For users who lose all their credentials, recovery presently still involves calling the helpdesk, dealing with temporary passwords, and answering questions that can be easily guessed. This remains a weak point in security.

Imagine what occurs when an employee is locked out: they contact the helpdesk, spend time on hold, answer security questions that might be discernible from their LinkedIn profile, and ultimately receive a temporary password—which they must change immediately. This frustrating process takes around 20 to 30 minutes, making it a costly affair for the organization and a prime opportunity for social engineering attacks.

With Microsoft Entra ID account recovery—now fully available—this complication is simplified. Users can open any browser, select “Recover my account,” scan their driver’s license, take a quick selfie, and register a new passkey—all within minutes, without needing to make a phone call, employing a process that’s considerably harder to forge. Since its preview, we’ve broadened our identity verification provider coverage, incorporated recovery profiles for regional compliance, and refined user experience based on feedback from over 192 countries.

In line with NIST guidelines, high-assurance recovery requires the use of government-issued ID and biometric verification. We’ve streamlined this process—setup now takes only minutes:

1. Confirm identity using a government-issued ID, like a driver’s licence or passport.
2. Complete a live face check—Face Check in Microsoft Entra Verified ID, utilising Azure AI, matches a real-time selfie against the photo on the identity document.
3. Cross-reference verified attributes with the organisation’s directory and HR system via custom authentication extensions.
4. Immediately register a synced passkey—ensuring user protection moving forward.

Only the matching result is shared; sensitive identity data remains secure. This level of privacy allows us to safely remove phishable fallbacks, as the recovery process is now more secure than primary authentication.

Visualising the account recovery process.

Ericsson: Phishing-resistant multi-factor authentication (MFA) represents one of those unique opportunities that boost security while enhancing employee experience. Since 2020, Ericsson has been pioneering this journey, adopting Microsoft’s passwordless technologies—now regarded as passkeys or phishing-resistant MFA. We seamlessly integrated passkeys into managed user devices, using Windows Hello for Business and Microsoft Authenticator, alongside FIDO2 security keys (YubiKey 5-series) for higher-risk and privileged scenarios, providing strong protection while ensuring simplicity and peace of mind for our users.

Admin setup for recovery takes just a few steps: select an IDV provider from the Microsoft Security Store, allocate user groups, and, if needed, match verified attributes with HR data through custom authentication extensions. You can even test the entire process before rolling it out publicly. Like passkey profiles, account recovery profiles enable admins to assign various IDV providers based on regional or national regulatory needs.

Through the Microsoft Security Store, clients can select from top IDV providers—Au10tix, IDEMIA, TrueCredential (LexisNexis), 1Kosmos, and CLEAR1—without the need for separate business contracts or custom integrations. These providers accommodate virtually all government-issued ID documents across more than 192 countries.

Each of these improvements holds value individually. Together, they effectively close the entire credential lifecycle—not merely focusing on the sign-in moment, but encompassing everything that occurs before and after.

We’ve collectively walked this path—from unveiling these features at Ignite 2025 to announcing the general availability today. Thousands of organizations shaped these experiences during the preview phase.

With passkeys, sign-ins are quicker and resistant to phishing attacks. Verified identity simplifies account recovery, mitigating impersonation risks. By removing fallbacks, we eliminate weak links.

This aspect is increasingly vital in a landscape where AI continues to redefine workflows. Every agent acting on behalf of a user, every automated process handling sensitive data, and every copilot making decisions all hinge back to a verified identity. Passkeys and verified recovery mechanisms ensure authenticity, from entry to recovery—a crucial foundation for secure AI deployment.

And this is merely the beginning.

We value your input—please share your feedback and let us know how you’re finding these changes.

Ankur

Ankur Patel | LinkedIn

Additional resources

Discover more about Microsoft Entra

Protect your identity, ensure minimal access privileges, harmonise access controls, and enhance user experience with comprehensive identity and network access solutions across both on-premises and cloud environments.