Passkeys arrive in Windows and promise corporate authentication without passwords

Microsoft has started to activate in Windows the support with passwords for Microsoft Entering, a movement that brings the corporate world even closer to password-free and phishing-resistant authentication. Broadly, the novelty allows users to create credentials linked to the device within the Windows Hello container and use the biometric mechanisms or the Windows Hello PIN to log in to resources protected by Enter.

This is an optional feature that Microsoft will put in public preview between mid-March and end of April 2026 for tenants around the world, with government clouds (GCC, GCC High and DoD) receiving the same capacity in a slightly later window, from mid-April to mid-May. The company details the ad in Microsoft 365's message center, where it explains how the deployment will work and what steps managers should take to activate it: message in Microsoft 365.

What makes this implementation relevant to many organizations is the extension of password-free authentication to Windows devices that are not linked or registered in Entre. So far, scenarios with personal or shared equipment used to re-rely on passwords; with passwords on Windows, these devices can be authenticated without transmitting a password, using instead a cryptographic key generated locally by Windows Hello.

From a technical point of view, the private key never leaves the device. The process follows the principles of the FIDO2 standard: during registration a couple of keys are generated, the public is registered in the service and the private one is safely stored in the Windows Hello container. To authenticate, the service challenges the device and the signed response proves the possession of the private key, without it being transmitted through the network. That architecture makes phishing attacks and credentials theft difficult because there is no traditional password to copy or intercept. For those who want to deepen these principles, the FIDO consortium explains the technical basis: FIDO Alliance.

Microsoft also emphasizes how the multi-account and multi-device model will be managed. Each enter account must register its own passkey on each computer: several accounts can coexist on the same machine, but password is not synchronized between devices, so if a user wants to enter without password from another PC you will have to register the passkey on that computer as well. This limitation has advantages and disadvantages: on the one hand it improves isolation and reduces the impact of a gap in another device; on the other, it involves more registration steps if a person uses many equipment.

For an organization to participate in the public preview, administrators should enable the Passwords authentication method (FIDO2) in the Enin Authentication Methods policies, create a passwords profile that includes AAGUIDs (identifiers that allow Entre to recognize specific Windows Hello implementations) and assign that profile to relevant user groups. In the official Microsoft documentation for developers and administrators there are guides to set up passwords in Azure / Entrance that help you understand the requirements and best practices: Documentation of Passkeys in Microsoft Enter. If what interests is how Windows manages credentials and Windows Hello, Microsoft keeps reference material on that stack in its Windows Hello and Hello for Business documentation: Windows Hello (Microsoft).

This ad fits into a broader trend: Microsoft has been driving movements to an ecosystem without passwords for a long time. In the last couple of years he introduced support for passwords in personal accounts and added a passwords manager integrated into Windows Hello with Windows 11 updates. In addition, the company has confirmed its intention to make Microsoft's new accounts "without default password," a strategy designed to reduce exposure to phishing, brute force or credental stuffing attacks.

For companies, the arrival of passwords in Windows opens up opportunities to strengthen security with a more fluid user experience, but also raises management decisions. Enable preview requires coordination between identity, support and security teams to define which users and groups will test the function, how to monitor adoption and how to address recovery or loss of access scenarios when the credential is tied to a device. Interoperability with other identity providers and no-Windows devices should also be assessed if the template is heterogeneous.

In terms of usability, using the face, print or PIN to replace a password can reduce friction and, at the same time, increase security, because local verification is based on safe hardware and biometric elements or secrets that are not transmitted. But it is not a silver bullet: organizations should complement the deployment of passwords with clear policies on device management, malware protection and account recovery processes for users who change equipment or lose access to their usual device.

The arrival of passwords to Microsoft enters Windows represents an important step towards less password-dependent and more phishing-resistant corporate environments. For IT teams it is an invitation to design pilot tests during the preview and to prepare the necessary governance; for end-users it can be a faster and, in many cases, safer login experience. Those who want to research more about the technical foundations and standards behind this bet can consult the resources of Microsoft and the FIDO ecosystem mentioned above.

If you want me to guide you with a test plan to implement the preview in your organization (which groups to start, indicators to measure and how to document support problems), tell me and prepare a practical and adapted scheme to your environment.