The Collective

Entra ID Synced Passkeys and security considerations

by | Nov 19, 2025 | Blog

Entra ID Synced passkeys - Robbe Van den Daele

At Ignite 2025, Microsoft announced Entra ID would be supporting Synced Passkeys for multiple credential providers. This means users can now create phishing resistant credentials and sync those credentials across devices. This new authentication method brings a lot of advantages compared to device-bound passkeys but also raises some security concerns. In this post we will go over how to use synced passkeys, and in which scenarios we recommend against it.

What are synced passkeys

Synced passkeys are passkeys that are not tied to one specific device. Until recently, Microsoft Entra ID only supported device-bound passkeys, making it impossible to use one passkey on different devices. With synced passkeys, you can store the passkey in a credential vault (such as Google Credential Manager, Keeper, and many more) and use that passkey on every device that has access to that credential vault. This introduces the following benefits:

    • Stronger security – Passkeys provide phishing resistant authentication, meaning users are protected against attacks such as access token stealing. This method introduces better security than basic MFA methods, and ensures attackers are only able to compromise the login when the system where the passkeys are stored on is compromised.
    • Seamless multi-device access – When passkeys are synced across devices, you can log in from any device instead of having to rely on a passkey on a specific device. This is especially useful if you frequently switch between devices.
    • Reduced account recovery problems – If you lose one device, synced passkeys ensure you still have access to the passkeys via other devices. This makes recovery easier compared to device-bound passkeys.

Enabling synced passkeys

To enable synced passkeys as an administrator, you need to go to the authentication methods blade in the Entra ID admin portal and navigate to the Passkey (FIDO2) authentication method.

   Authentication methods

Since synced passkeys are still in public preview, you will need to opt-in to the public preview by clicking the banner at the top of the page:

passkey settings

 

When clicking the banner, you will be redirected to the new ‘Configure’ tab where you will be able to configure a maximum of three passkey profiles. As the banner states, you must configure the ‘Default passkey profile’ to target at least one passkey target type. Here you can choose between ‘Device-bound’ and ‘Synced’ passkeys.

Passkey FIDO settings

Edit passkey profile

 

After you configured the ‘Default passkey profile’, you need to assign the profile to your users. You can either do this to ‘All users’, or you can select specific groups in Entra ID:

Enable and target

Register a synced passkey with Keeper

If a user wants to create a passkey for Entra ID with Keeper, the user needs to make sure that the Keeper extension is installed in the browser and that prompts are allowed in the settings of the extension.

select

Once this is the case, the user can go to the ‘Security info’ blade under My Account (aka.ms/mfasetup) and click on ‘Add sign-in method’.

security info

If passkeys are properly enabled in the authentication method portal as discussed earlier, you get the option to choose for ‘Passkey’:

sign in method

Next, the user will see that the Keeper extension will ask you if they want to save the passkey in Keeper. Here you can click on ‘Create Passkey’:

keeper security

 

The user will be redirected to the My Account page again, where they can save the passkey under a name they like (Microsoft is automatically aware that the passkey provider is Keeper).

name passkey

After you clicked the ‘Next’ button, the passkey should be saved.

Passkey created

Security thoughts

As you might have noticed when configuring Passkey profiles in the Entra admin blade, you cannot choose to enforce attestation when you want to allow Synced passkeys. In the Microsoft Learn pages it is described that this means Entra ID can’t guarantee any attribute about the passkey, including if it’s type, make, model, provider, and even the Target specific AAGUIDs.

enforce

Note on attestation

This begs the question if you should allow synced passkeys for all users in your organisations, since synced passkeys introduce the following risks:

  1. Stolen passkey via noncompany managed credential store – If a user saves their company passkeys to a personally owned credential store (like Google Password Manager or a personally owed Password Manager), the passkey can be leaked if an attacker is able to compromise that personally owned credential store. Since this credential store is not managed by the company, you have no insights to where the passkey exactly lives and if it is properly secured.
  2. No attestation on passkey registration – Although we will cover AAGUID allow and block listing at a later stage, you are never 100% sure if the AAGUIDs of the Synced passkeys are correct or not. This means that allow or block listing of specific credential managers cannot be fully used as a security control for Synced passkeys.

Therefore, we do not recommend using synced passkeys for critical accounts such as:

    • VIP accounts
    • Admin accounts
    • Break-the-glass accounts

For these specific account types, device-bound passkeys should be enforced to protect against the risks synced passkeys introduce.

 

Conclusion

We love that synced passkeys are now supported in Entra ID! It will help organizations a lot in pushing phishing resistant authentication forward to their end users, since we now have more possibilities to store our passkeys. However, organizations need to be aware of the risk vectors synced passkeys introduce compared to device-bound passkeys as well and choose wisely if they want to allow synced passkeys for all scenarios and users or not.

For more details, read the full blogpost of Robbe Van den Daele here