Passkeys & the new security paradigm

Welcome back to Heart of Security! I’m wrapping up a busy and energizing week at RSA, an event I look forward to all year (and not just because it’s in my own backyard!). It was so inspiring to see customers and partners, learn from my peers, and be a part of this incredible community of security professionals that is advancing the frontiers of security innovations every day. I had the honor of presenting a keynote on the future of agentic AI and the very human-driven way it will change the game in security. As a lifelong Trekkie and a particular fan of Zora, it’s almost surreal to live in an era in which AI agents will truly become assistants, collaborators, and thought partners in our daily lives. In security, agentic AI will empower a new paradigm that was once the domain of science fiction, and I’m thrilled to be here for the journey. 

And talking about journeys, today is World Passkey Day! This journey started three years ago – when in partnership with the FIDO Alliance, Apple and Google – we announced the concept of passkeys. Since then, we’ve seen great progress and adoption of this technology and are excited to continue to innovate with our partners on this important work that protects so many people online. In honor of World Passkey Day, I’m excited to feature FIDO Alliance Executive Director & CEO @Andrew Shikiar for my spotlight below to discuss the journey toward passwordless sign-in and why passkeys are better than passwords. 

Charlie Bell recently shared our latest Security Future Initiative (SFI) milestones in our multi-year journey to improve the security posture of Microsoft, our customers, and the industry at large. When Microsoft launched SFI in 2023 with the goal to put security above all else, we pledged not only to prioritize our customer’s cyber safety, but to provide proof that their trust was earned. 

This began with a cultural shift, in which we made security a core priority for every employee. Microsoft added security as a metric during performance check-ins and created Microsoft Security Academy, which more than 50,000 employees have now leveraged to improve their security skills. We also updated our governance structure by adding Deputy CISOs across Microsoft to integrate security standards into all projects from their inception. 

These processes are designed to ensure that everything we do is secure by design and secure by default. We also implemented several new policies to prevent fraud – and our behavioral-based detection models and investigation methods have thwarted approximately $4 billion in fraud attempts, rejected 49,000 fraudulent partnership enrollments, and blocked around 1.6 million bot signup attempts per hour. We’ve also upped our game on engineering, including identity security, tenant protection, network security and more. In addition to enhanced security and compliance standards, Microsoft also partnered with the community through our Zero Day Quest, which discovered 154 critical and important vulnerabilities.  

The learnings and innovations from Secure Future Initiative are turbo-charging our security products which we in turn use to protect Microsoft and our customers. To help reduce the risk of phishing and improve our customers overall security posture we started rolling out two new Microsoft-managed conditional access policies in February that limit device code flow and legacy authentication. We also introduced new capabilities to help protect OAuth applications by default across Microsoft 365, Google, and Salesforce. 

I’m proud to say Microsoft’s commitment to security shines in this latest progress report, and we’ll continue our advances in cybersecurity and AI safety as we continue to transform our cybersecurity business. I encourage you to read the full report for more details on our progress.  

In honor of World Passkey Day today, I talked to Andrew Shikiar about why passkeys are replacing passwords as the next-generation login and the benefits of doing so. Andrew got his start in the identity community over 20 years ago when he worked on the Sun Microsystems’ team that helped launch the Liberty Alliance Project that created the industry’s first standards in federated identity. Today he is the Executive Director and CEO of The FIDO Alliance, a non-profit industry association focused on eliminating the world’s dependence on passwords by creating and driving adoption of open standards for simpler, stronger user authentication. 

The FIDO Alliance and Microsoft have the shared goal of reducing the world’s reliance on passwords. So, what is the problem with passwords? Andrew says it “generally comes down to a combination of exceedingly poor security combined with a poor user experience. Even so, passwords are still widely utilized despite being unhealthy for enterprises and their users alike.” Despite their shortcomings, passwords are still prevalent because they work across various services and devices, a feat no alternative has achieved before passkeys. 

 These passkey advantages aren’t just a premise. Businesses are finding real benefits from deploying passkeys. Andrew shares that, “CISOs and enterprise IT teams are reporting increased employee productivity and helpdesk costs – and massive reduction of credential-oriented social engineering success as passkeys prevent phishing and other remote attacks. On the consumer side, service providers are consistently finding significant improvement in sign-in success rate and time to sign-in and are starting to draw direct lines between increased passkey usage and both decreased fraud and increased revenues.” 

So, what strategies can leaders use to drive awareness and adoption of passwordless security into their company's operations? Andrew says one of the main concerns he hears from companies contemplating passkeys is having to educate users on why and how to use passkeys. Change management is a factor for any new technology, and developing educational campaigns for your users and employees is highly recommended. However, Andrew contends that “case study after case study has shown that change management concerns simply haven’t materialized, with returns from increased productivity and elimination of social engineering attacks quickly outweighing the investment.” 

Not only do passkeys help to eliminate many of the security concerns that passwords create, but it is also a better experience for users, getting rid of the pain of remembering passwords, creating new ones, and managing them across devices. When I get the opportunity to use a passkey, I do – and I encourage my friends and family to do the same! I hope you’ll join me in celebrating World Passkey Day by using passkeys wherever possible. 💜

• Don’t miss our latest edition of Cyber Signals, which delves into the emerging threats posed by AI-enhanced fraud and the robust measures Microsoft is implementing to safeguard its customers. 

• Microsoft celebrated our 50th anniversary last month! I loved Sherrod DeGrippo’s special anniversary edition of The Microsoft Threat Intelligence podcast "Security Then and Now", featuring Charlie Bell, Stephanie Calabrese, John Lambert, and Scott Woodgate as they took a deeper look at Microsoft’s incredible journey in cybersecurity. 

• Microsoft Data Cowboy Ram Shankar Siva Kumar recently shared a fascinating look into Microsoft’s AI Red Team and the work they do keeping our systems safe by emulating real world attacks. The team also published a new whitepaper about the importance of agentic AI systems in enhancing the impact and value of generative AI. 

• I’m looking forward to sharing the keynote for the Microsoft 365 Community Conference on May 6, to reinforce the importance of security in the era of AI and explore how Microsoft is helping to shape the future of work. You can register here: aka.ms/M365Con25 

• Make sure you subscribe to the new Security Pulse LinkedIn newsletter from Microsoft Security! This bi-monthly CISO update features topics that are important to security executives, such as the threat landscape, risk management, security operations, emerging trends, and more. 

Something that recently inspired me was my visit to Milan, Italy where I met our team, customers, partners, community and next generation of young women leaders who are driving AI transformation with a Security first mindset! A big highlight was the inspiring session that our Italy team organized which demonstrated how perceived challenges can turn into inspiring opportunities. In the heart of Milan, architect Donato Bramante faced a challenge—his grand vision for Santa Maria presso San Satiro was confined by space. But instead of yielding, he defied limitations with sheer ingenuity, crafting a breathtaking trompe-l'œil illusion that made a 90 cm choir appear vast and infinite. His mastery of perspective not only transformed the church but set a precedent for Renaissance art, proving that creativity can triumph over constraints. This was a great reminder that often constraints and imagination are the catalysts for extraordinary creativity and innovation – we have to change our mindset and approach! 

A quote I love: “The best way to predict the future is to create it.” – Peter Drucker