I've been working with customers recently helping define security strategies as they look to adopt our cloud services. I heard about Windows 10's new Passport feature and wanted to better understand what it is. What I learned is how *cool* this technology is, and how it will change how we approach security. Credential theft and credential reuse are serious problems that plague the current password based systems.
Windows Passport is Microsoft's implementation of the Fido 2.0 specification. In a nutshell, my understanding is the client is able to create a public/private key pair (or use an enterprise CA with NDES) and registers the public key with a service (Azure AD in this case). The private key is then protected on the client within a key vault (TPM or software). The vault can be unlocked with a "gesture" (Windows Hello) that initially a PIN or with bio-metrics are supported. This registration is likely combined with a second auth factor (MFA) to also prove user identity at the same time – the Passport depends on pairing the device and credential. Each device has its own certificate and PIN/biometrics. This is great because this eliminates the scenario which most people do by using the same password on many accounts and the password is never sent over the network.
If you want to read how it really works – check out this article – https://technet.microsoft.com/en-us/library/mt589441(v=vs.85).aspx