{"id":60601,"date":"2026-05-07T16:00:00","date_gmt":"2026-05-07T16:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=147015"},"modified":"2026-05-07T16:00:00","modified_gmt":"2026-05-07T16:00:00","slug":"world-passkey-day-advancing-passwordless-authentication","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/world-passkey-day-advancing-passwordless-authentication\/","title":{"rendered":"World Passkey Day: Advancing passwordless authentication"},"content":{"rendered":"
<\/div>\n

World Passkey Day is a chance to reflect on progress toward a shared goal: reducing our reliance on passwords and other phishable authentication methods by accelerating passkey adoption. As cyberattacks become more automated and AI-powered, each account is only as secure as its weakest credential. Real progress requires more than adding stronger sign-in options\u2014it requires removing phishable credentials and strengthening common attack paths like recovery flows. In partnership with the FIDO Alliance, Microsoft is committed to advancing passkey adoption<\/a> through ongoing standards work, active participation in working groups, and other contributions to a passwordless future.<\/p>\n

Passwords remain a major source of risk; they\u2019re difficult to manage and easy to steal. Along with weaker forms of multifactor authentication, they\u2019re also highly vulnerable to phishing: AI-powered campaigns drive click-through rates as high as 54%.1<\/sup> In response, Microsoft is expanding passkey adoption across our ecosystem. We\u2019re reducing reliance on legacy authentication and strengthening account recovery so it won\u2019t become a backdoor for cyberattackers.<\/p>\n

\n
\n

\u201cInstead of vulnerable secrets or potentially identifiable personal information, a passkey uses a private key stored safely on the user\u2019s device. It only works on the website or app for which the user created it, and only if that same user unlocks it with their biometrics or PIN. This means passkey users can\u2019t be tricked into signing in to a malicious lookalike website, and a passkey is unusable unless the user is present and consenting. These are some qualities that make passkeys a \u2018phishing-resistant\u2019 form of authentication.\u201d<\/p>\n

From Microsoft Digital Defense Report<\/a>.<\/cite><\/p><\/blockquote>\n<\/figure>\n

Passkey adoption continues to grow industry wide<\/strong><\/h2>\n

Passkey adoption is accelerating: FIDO Alliance estimates 5 billion passkeys already in use worldwide.2<\/sup> Across Microsoft\u2019s consumer services, including OneDrive, Xbox, and Copilot, hundreds of millions of users sign in with passkeys every day.<\/p>\n

There are many reasons to choose passkeys as the standard authentication method over passwords. Sign-in success rates are significantly higher than with passwords, and exposure to credential-based attacks is significantly lower.3<\/sup> Organizations and individual users alike prefer the simpler, more secure sign-in experience passkeys offer.4<\/sup><\/p>\n

Inside Microsoft, we\u2019ve eliminated weaker authentication methods and rolled out phishing-resistant authentication, covering 99.6% of users and devices in our environment.5<\/sup> It\u2019s made signing in a lot simpler: no codes to enter, no extra prompts to manage, just a straightforward experience for everyone.<\/p>\n

Product updates across sign-in and recovery<\/h2>\n

Across Microsoft, we\u2019ve been steadily building passkey support into every layer of the identity experience from consumer accounts to enterprise access with Microsoft Entra<\/a>, and from device-based authentication like Windows Hello<\/a> to Microsoft\u2019s password manager<\/a>. This work ensures people can create and use passkeys wherever they sign in, with a consistent, phishing-resistant experience across devices, apps, and environments.<\/p>\n

To make passkeys more accessible, we\u2019re expanding where and how people can use them:<\/p>\n