DEV Community

Cover image for Microsoft 365 passkeys – Analysis of sign-ups and logins with passkeys
corbado
corbado

Posted on

Microsoft 365 passkeys – Analysis of sign-ups and logins with passkeys

This is part 4/X of our ongoing analysis of passkey implementations. We already analyzed several password managers, KAYAKs passkey flow and Apple's iOS 17

Introduction

More and more companies from a wide range of industries are stepping into a password-free world and implement passkeys. Through this series of articles, we aim to provide a comprehensive overview of the passkey user experience of those companies. This should enable you to incorporate these findings and enhance your product login accordingly. In each article, we focus on a single company. Today, we dive into Microsoft 365. Passkeys became available for Microsoft 365 accounts in Q2 2023, although they are not called passkeys. The rollout of Microsoft 365 passkeys could pose a counterweight to the currently heavy used two factor authentication via native app ("Microsoft Authenticator").

Disclaimer:
‍1) Status of the analysisis June 2023. Passkey features are subject to change by companies on an ongoing basis.
2) Note, that we tested the passkeys offered by Microsoft 365 for its online service / website and app. This analysis specifically does not include the way Microsoft synchronizes passkeys as a platform provider
3) Please refer to the use cases to find the devices we used for the analysis.

Key insights from Microsoft 365 analysis

In this section, we present the most important insights we have gainedfrom the analysis of Microsoft 365 passkeys.

Highlights of Microsoft 365 passkeys implementation

1. Setup and integration with high security focus:

Microsoft 365's passkey implementation places paramount importance on security right fromthe setup phase. To ensure the highest level of protection, users are required to employ two-factor authentication (2FA) using the "Microsoft Authenticator" app. By integrating 2FA, Microsoft 365 provides an additional layer of defense against unauthorized access attempts. This robust security measure significantly mitigates the risk of credential theft or unauthorized logins, thereby fortifying the overall security posture of organizations using Microsoft 365.

2. Single advocacy for passwordless access:

One strength of Microsoft 365's passkey implementation lies in its advocacy for passwordless access, even though need to ou proactively search for it. Through intuitive user interfaces and informative prompts, Microsoft then even encourages users to embrace the passwordless sign in process. With a pop-up window displaying the empowering message, "Break free from your passwords," users are motivated to explore the benefits and convenience of a passwordless future leading to enhanced security and a frictionless authentication experience.

3. Option to completely remove passwords:

In a bold move that demonstrates their commitment to a passwordless future, Microsoft 365 offers users the option to eliminate passwords entirely. This feature enables organizations to embrace passkeys as the sole means of authentication, eliminating the vulnerabilities associated withpassword-based systems. By removing passwords from the equation, organizations can significantly reduce the risk of password-related attacks, such as phishing, credential stuffing, and brute-force attacks. Microsoft's commitment to promoting this passwordless approach not only showcases their dedication to security but also sets the stage for a more seamless and user-friendly authentication experience.

4. Seamless Integration with "Windows Hello" Technology:

Microsoft 365's passkey implementation seamlessly integrates with the trusted"Windows Hello" technology, creating a familiar and comfortable authentication experience. "Windows Hello" is a widely recognized biometric authentication feature in Windows, allowing users to log in using facial recognition, fingerprint scanning, or PINs. By leveraging this technology, Microsoft 365 enables users to set up their passkeys using existing biometric data, fostering convenience and trust.

The integration with "Windows Hello" also offers a seamless transition for users already familiar with this biometric authentication solution. By utilizing familiar biometric data, such as facial recognition or fingerprints, users can authenticate swiftly and confidently, eliminating the need for complex passwords.

Drawbacks of the current Microsoft 365 passkeys implementation

1. No Cross-Platform Passkeys:

The most notable drawback of Microsoft 365's passkey implementation is the absence of support for cross-platform passkeys. Unlike other solutions, they are neither synced, nor can they be created on other devices (not even single-device passkeys on, e.g. a MacBook using Safari or Android smartphone). However, on a MacBook using Chrome, the passkey creation works, as shown in our analysis. But this limitation can be frustrating for users who work across different operating systems, as it restricts the seamless use of passkeys across all their devices. Typical example would be not being able to sync passkeys between your private iPhone and your laptop. The lack of cross-platform compatibility stands out as an uncommon limitation in an increasingly interconnected digital landscape.

2. Lack of Proactive Offer and Cumbersome Passkey Setup:

Another drawback is the absence of proactive encouragement for users to try out passkeys on sign up. Afterwards the process of creating a passkey within Microsoft 365 can be cumbersome, requiring up to seven clicks after a regular login. If users haven't set up Microsoft Authenticator, the number of clicks increases even further. Despite exploring additional sign in methods, users still need tonavigate through multiple options by clicking "Show more options" to utilize the convenient "Windows Hello" feature. This lack of streamlined and intuitive passkey setup may deter some users from embracing this authentication method fully.

3. Insufficient Explanation of Passkey Technology to Users:

Microsoft 365's passkey implementation lacks explicit explanation or documentation regarding the term "passkey" and its underlying technology. Users are not directly informed about the specifics and benefits ofthe passkey authentication method. This absence of clear communication may lead to confusion or apprehension among users who are unfamiliar with the term "passkey". Providing comprehensive and user-friendly documentation already during the sign in process would empower users to make informed decisions and understand the advantages of this authentication method.

Analysis of the login process

To make the analysis of Microsoft 365 passkeys as comprehensive as possible, we tested the login process with several device-browser-combinations. We have recorded the outcomes in the following use cases. To better understand the use cases, please read through the conceptual definitions of passkeys below before jumping into the use cases.

Conceptual definitions of passkeys

Single-device passkey vs. multi-device passkey: Passkeys come in two distinct types whichare single-device and multi-device credentials. Single-device passkeys are tied to a specific device, meaning that the passkey can only be used on the device it was generated on. Multi-device passkeys are the "true" passkeys that can be synced and transferred between devices. This means that users can use any of their devices that support passkeys to authenticate, regardless of whether the credential was created on that specific device. This greatly enhances the usability of passkeys, as users don't need to enrol each device. However, our analysis found that Microsoft 365 provides single-device passkeys only.

Tested cases

Note that we have only performed the use cases with passkey-ready devices (e.g., no iPhone prior toiOS 16.0, no MacBook prior to macOS Ventura, no Android prior to Android 9, no Windows device prior to Windows 10). Inaddition, we tested the passkey login with an iPhone only in the Microsoft 365 app because the login process in different browsers does not differ regardless of the platform and device. However, we noted that no other platform than Windows 11 allows us to create or use passkeys. Hence, we only tested use cases 1-3 for now. Find out the detailed flow of every listed use case, click on the respective linked use case in the table below:

Windows 11
(Build 22621.1848)
MacBook
(macOS Ventura 13.3.1)
Multi-device passkey n/a n/a
Single-device passkey Use case 1: Sign up process (Chrome)
Use case 2: Passkey creation (Chrome)
Use case 3: Passkey login (Chrome)
Use case 4: Sign up process (Chrome)
Use case 5: Passkey creation (Chrome)
Use case 6.1: Passkey login (Safari)
Use case 6.2: Passkey login (Chrome)

Conclusion

The introduction of passkeys in Microsoft 365 brings the promise of passwordless authentication. However, the current implementation has limitations and represents a transitional phase. Passkeys are only available on Windows platforms and require tedious setup through the "Security" section in the Microsoft 365 account settings. They are not accessible on native Microsoft 365 apps for Android and Apple devices on its own ecosystem (i.e., Safari, only works with Chrome). Microsoft refers to passkeys as "passwordless" sign in, emphasizing their commitment to moving away from traditional passwords.

While passkeys offer enhanced security and convenience, their availability and usability are still restricted within the Microsoft 365 environment. It is likely that Microsoft 365 will continue to refine and expand passkey functionality in the future, making it more prominent and accessible across devices and platforms. Find out the detailed flow of the passkey implementation here

Top comments (0)