HomeWinBuzzer NewsMicrosoft to Enforce Passkey Support in Authenticator by January 2025

Microsoft to Enforce Passkey Support in Authenticator by January 2025

Starting January 2025, Microsoft’s Authenticator app will include passkey support, impacting enterprises without key restrictions on authentication.

-

Microsoft is set to expand its use of passkeys in its Authenticator app starting mid-January 2025, mandating their inclusion for organizations using the passkey (FIDO2) policy without existing key restrictions.

The move is aimed at enhancing security measures by leveraging a more robust, passwordless authentication method that is resistant to phishing. However, the rollout comes with challenges, particularly for enterprises still relying on traditional authentication frameworks.

Technical Clarifications Raise Questions

Microsoft recently announced the change through the Microsoft 365 Message Center, noting that enterprises with passkey (FIDO2) policies and no key restrictions would automatically see this feature implemented. While this update promises streamlined security enhancements, a LinkedIn post by cybersecurity consultant Lukas Beran added some confusion. Beran highlighted that organizations uninterested in enabling passkeys would need to “implement key restrictions” and potentially block certain apps. His remarks spurred questions about the level of technical adjustments required for enterprises to comply with or counteract the change.

Gary Longsine, CTO at IllumineX, critiqued the ambiguity (via CSO), calling it “vague and unhelpful” and suggesting that Chief Information Security Officers (CISO) may struggle with the unclear implications. Longsine believes this complexity may force organizations to review their Active Directory settings to avoid unintended activation of passkeys. “It might be simpler to transition to passkeys than trying to manage exceptions,” he said, hinting at the growing need for streamlined policies.

Challenges in Implementation and Risk

While passkeys are lauded for their enhanced security over traditional passwords, their implementation across enterprises presents challenges. Dave Taku, RSA’s head of product management, noted that the change would require significant adjustments for organizations unprepared to integrate passkeys. He pointed out that companies not ready by January will have to make immediate policy updates to align with the change or face operational setbacks (CSO).

One key issue is that many enterprises maintain passwords as fallback authentication methods, undermining the security benefits of passkeys. Longsine emphasized that until passwords are completely phased out, the risk of compromised credentials remains. “Migrating to passkeys without fully removing password support doesn’t significantly lower risk,” he explained, adding that full password elimination is essential for maximizing passkey efficacy (CSO).

Industry-Wide Context and Cooperation

This shift comes at a time of unprecedented collaboration among tech giants. In October 2024, the FIDO Alliance, which counts Microsoft, Apple, Google, and Samsung as members, introduced a new passkey specification designed to encourage broader adoption of passwordless authentication. Industry experts, including Longsine, observed that this level of cooperation marks a departure from past practices when competing firms hesitated to agree on shared standards. “Seeing Apple, Google, and Microsoft align on passkey strategies is unique and represents a step forward for unified user experiences,” Longsine noted.

Beran’s statement that passkeys would be “equivalent to physical keys” sparked debate. Taku expressed caution, suggesting that while passkeys offer strong resistance to phishing, they do not match the security of dedicated hardware devices. This prompted discussions on the importance of ensuring fallback methods, such as SMS authentication, do not compromise overall system security. Analyst Will Townsend of Moor Insights & Strategy pointed out that “eliminating weaker MFA options would strengthen overall security posture,” reinforcing the need for thoughtful policy choices.

Preparations for January 2025

As the January 2025 deadline approaches, Microsoft has indicated that the rollout will happen automatically for applicable organizations, with no administrative action required to activate the change. Users can register passkeys through Microsoft´s “MySecurityInfo” portal, where they will be prompted as part of Conditional Access (CA) policies. For those seeking to avoid this rollout, enabling key restrictions in existing policies will be necessary.

Experts suggest that organizations audit their current security configurations and prepare for the passkey integration to prevent disruptions. The move is part of a broader industry shift toward reducing reliance on passwords and adopting stronger, phishing-resistant authentication solutions. However, the success of this transition will depend on enterprises’ willingness to adapt and effectively manage the nuances of passkey integration.

Last Updated on November 7, 2024 2:11 pm CET

SourceMicrosoft
Markus Kasanmascheff
Markus Kasanmascheff
Markus has been covering the tech industry for more than 15 years. He is holding a Master´s degree in International Economics and is the founder and managing editor of Winbuzzer.com.

Recent News

0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
0
We would love to hear your opinion! Please comment below.x
()
x
Mastodon