Microsoft adds a new form of passwordless authentication to Microsoft Entra ID for Windows devices. This feature uses FIDO2 passkeys and is integrated into the local container of Windows Hello. This method replaces conventional password-based authentication with asymmetric cryptography. The private key never leaves the device and is only unlocked through local user authentication. Architecture and operation. Windows passwords use the Windows Hello container to securely store private keys in an isolated environment. Only the local user can access it if biometric or PIN verification is successful. This PIN is not used for authentication with the service; it only unlocks the locally stored key. It is technically impossible to sign in directly using a PIN without physical access to the device. Authentication with Microsoft Entra ID occurs via the FIDO2 protocol using public key cryptography. The client submits a signed challenge response that is bound to the target application.
ComputerWeekly.de