Microsoft Entra ID · Passkeys as the default sign-in method

Your Entra ID OTP tokens are still phishable. Hardware-bound FIDO2 keys aren't.

Microsoft will make passkeys the default in Entra ID. Hardware-bound FIDO2 passkeys take that further: the credential is created on the device and never leaves it, so there is no code to relay and no seed database to steal. Request two sample keys and test the migration.
FIDO2 certified · FIPS 140 certified · Microsoft Intelligent Security Association (MISA) member

YOUR EVALUATION KIT

2 × FIDO2 Security Keys

Free to evaluate

Works natively with Microsoft Entra ID
Choose USB-A, USB-C, or NFC form factors
Register with your own tenant in minutes
Request Your Kit
WHAT CHANGED

Passkeys are the direction. Where your credential lives decides how strong it is.

Microsoft will make passkeys the default sign-in method for Entra ID, moving toward phishing-resistant credentials. Passkeys come in two forms, and the difference matters most for your highest-risk accounts.
SYNCED PASSKEYS
Stored on a phone or laptop and synced through a personal Apple, Google, or Microsoft account. Convenient for most people and a genuine step up from typed codes.
OTP TOKENS
Still ask a person to read a code and type it in. On a lookalike page that code can be relayed in real time, and the shared seed behind every token is stored on a server to verify it.
59%
of successfully compromised accounts already had MFA enabled at the time of the attack.
54% vs 12%
Click rate of AI-crafted phishing compared with the older, typo-filled kind.
21 sec
Median time from phishing email open to link click

OTP token vs. hardware-bound FIDO2 key

Both work with Entra ID. Only one removes what attackers target.

Property OTP token FIDO2 key
Resists real-time relay (adversary-in-the-middle) phishing
No code for a person to read, type, or mistype
No shared secret stored on a verification server
Credential cannot be copied or exported from the device
Recognized as phishing-resistant by CISA and NIST
Meets NIST's highest assurance level (AAL3)
Works natively with Microsoft Entra ID
MIGRATION TO FIDO2

If you already issue OTP tokens, you are most of the way there.

Your users already carry an authenticator and have the routine of using it. Switching to FIDO2 keys keeps the habit and removes the phishable code. A small team can roll it out in phases.

01

Sample and test

Request two keys, register them in your own Entra ID tenant, and confirm the sign-in experience with your policies.
02

Provision

Use KeyProvision to pre-enroll keys to Entra ID accounts for users who can't self-register. Teach the rest how to do it themselves.
03

Roll out by risk

Start with admins, finance, and other privileged accounts. Issue two keys per user, a primary and a backup.
04

Retire the fallback

Once a group is enrolled, turn off legacy OTP and SMS on a schedule so attackers can't downgrade to the weaker method.

The Provisioning Tool

KeyProvision for Entra ID: enroll the users who can't enroll themselves

Self-registration works for technical staff. It leaves gaps for shared-workstation, deskless, and less-technical users. KeyProvision lets your admins pre-provision FIDO2 keys directly to Entra ID accounts, so a labeled key reaches each person ready to use, with no help-desk ticket and no exposed setup step.

Pre-register keys to accounts from one console

Enforce phishing-resistant MFA with FIDO2

Built for Microsoft Entra ID, no identity platform to replace

KeyProvision · Entra ID

Why teams choose FEITIAN

FIDO2 and FIPS 140 certified hardware, and a Microsoft Intelligent Security Association (MISA) partnership behind every deployment.
3,000+
customers worldwide
60M+
devices shipped per year
150+
countries served
1,000+
patents held
FIDO2 certified
FIPS 140 certified
Microsoft MISA member

Request your 2 free FIDO2 sample keys.

Tell us a little about your environment and we'll ship two keys to evaluate with Entra ID. No cost, no obligation.

Evaluate on your own tenant and policies
Planning 100+ keys? We'll include volume and deployment guidance.
FIPS 140 certified hardware

We use your details only to fulfill and follow up on this request. Prefer to talk deployment first? Email sales@ftsafe.us.

FAQs

How many keys can we get, and what does it cost?

The evaluation is two keys at no cost. For rollouts, we recommend two keys per user (a primary and a backup). Planning 100 or more? Our team will share volume pricing and deployment support.

Which form factors are available?

USB-A, USB-C, and NFC, plus biometric options. You can mix models across roles, and NFC keys work well with tap-based sign-in on shared devices.

What about users who cannot register a key themselves?

That is exactly what KeyProvision handles. Admins pre-provision keys to Entra ID accounts, so shared-workstation, deskless, and less-technical staff receive a key that is ready to use.

How are hardware keys different from synced passkeys?

Synced passkeys live on a phone or laptop and sync through a personal account. Hardware-bound keys keep the credential on the device where it cannot be synced or copied, which is why they meet AAL3 and suit privileged and shared roles. Most organizations use both.