Passwordless security key sign-in - Microsoft Entra ID (2024)

Table of Contents
In this article Requirements Prepare devices Enable passwordless authentication method Enable the combined registration experience Enable FIDO2 security key method FIDO Security Key optional settings Disable a key Security key Authenticator Attestation GUID (AAGUID) User registration and management of FIDO2 security keys Sign in with passwordless credential Troubleshooting and feedback Known issues Security key provisioning UPN changes Next steps FAQs
  • Article

For enterprises that use passwords today and have a shared PC environment, security keys provide a seamless way for workers to authenticate without entering a username or password. Security keys provide improved productivity for workers, and have better security.

This document focuses on enabling security key based passwordless authentication. At the end of this article, you'll be able to sign in to web-based applications with your Microsoft Entra account using a FIDO2 security key.

Requirements

  • Microsoft Entra multifactor authentication (MFA)
  • Enable Combined security information registration
  • Compatible FIDO2 security keys
  • WebAuthN requires Windows 10 version 1903 or higher

To use security keys for logging in to web apps and services, you must have a browser that supports the WebAuthN protocol.These include Microsoft Edge, Chrome, Firefox, and Safari. For more information, see Browser support of FIDO2 passwordless authentication.

Prepare devices

For devices that are joined to Microsoft Entra ID, the best experience is on Windows 10 version 1903 or higher.

Hybrid-joined devices must run Windows 10 version 2004 or higher.

Enable passwordless authentication method

Enable the combined registration experience

Registration features for passwordless authentication methods rely on the combined registration feature. Follow the steps in the article Enable combined security information registration, to enable combined registration.

Enable FIDO2 security key method

Tip

Steps in this article might vary slightly based on the portal you start from.

  1. Sign in to the Microsoft Entra admin center as at least an Authentication Policy Administrator.

  2. Browse to Protection > Authentication methods > Authentication method policy.

  3. Under the method FIDO2 Security Key, click All users, or click Add groups to select specific groups. Only security groups are supported.

  4. Save the configuration.

    Note

    If you see an error when you try to save, the cause might be due to the number of users or groups being added. As a workaround, replace the users and groups you are trying to add with a single group, in the same operation, and then click Save again.

    See Also
    Works With YubiKey CatalogFido vs Koodo vs Virgin Plus: Which Carrier is Best for You?Discover YubiKeys | Strong Two-Factor Authentication for Secure LoginTOKEN2 Sàrl is a Swiss cybersecurity company specialized in the area of multifactor authentication. We are a FIDO Alliance member.

FIDO Security Key optional settings

There are some optional settings on the Configure tab to help manage how security keys can be used for sign-in.

Passwordless security key sign-in - Microsoft Entra ID (1)

  • Allow self-service set up should remain set to Yes. If set to no, your users won't be able to register a FIDO key through MySecurityInfo, even if enabled by Authentication Methods policy.
  • Enforce attestation setting to Yes requires the FIDO security key metadata to be published and verified with the FIDO Alliance Metadata Service, and also pass Microsoft's additional set of validation testing. For more information, see What is a Microsoft-compatible security key?

Key Restriction Policy

  • Enforce key restrictions should be set to Yes only if your organization wants to only allow or disallow certain FIDO security keys, which are identified by their Authenticator Attestation GUID (AAGUID). You can work with your security key provider to determine the AAGUID of a device. If the key is already registered, you can find the AAGUID by viewing the authentication method details of the key for the user.

    Warning

    Key restrictions set the usability of specific FIDO2 methods for both registration and authentication. If you change key restrictions and remove an AAGUID that you previously allowed, users who previously registered an allowed method can no longer use it for sign-in.

Disable a key

To remove a FIDO2 key associated with a user account, delete the key from the user’s authentication method.

  1. Sign in to the Microsoft Entra admin center and search for the user account from which the FIDO key is to be removed.

  2. Select Authentication methods > right-click FIDO2 security key and click Delete.

    Passwordless security key sign-in - Microsoft Entra ID (2)

Security key Authenticator Attestation GUID (AAGUID)

The FIDO2 specification requires each security key provider to provide an Authenticator Attestation GUID (AAGUID) during attestation. An AAGUID is a 128-bit identifier indicating the key type, such as the make and model.

Note

The manufacturer must ensure that the AAGUID is identical across all substantially identical keys made by that manufacturer, and different (with high probability) from the AAGUIDs of all other types of keys. To ensure, the AAGUID for a given type of security key should be randomly generated. For more information, see Web Authentication: An API for accessing Public Key Credentials - Level 2 (w3.org).

There are two ways to get your AAGUID. You can either ask your security key provider or view the authentication method details of the key per user.

Passwordless security key sign-in - Microsoft Entra ID (3)

User registration and management of FIDO2 security keys

  1. Browse to https://myprofile.microsoft.com.

    See Also
    Still Using Passwords? Get Started with Phishing-Resistant, Passwordless Authentication Now!

  2. Sign in if not already.

  3. Click Security info.

    1. If you already have at least one MFA method registered, you can immediately register a FIDO2 security key.
    2. If you don't have at least one MFA method registered, you must add one.
    3. An Authentication Policy Administrator can also issue a Temporary Access Pass to allow a user to register a passwordless authentication method.

  4. To add a FIDO2 security key, click Add method, and choose Security key.

  5. Choose USB device or NFC device.

  6. Have your key ready and choose Next. If you're using Chrome or Edge, the browser might prioritize registration of a passkey that's stored on a mobile device over a passkey that's stored on a security key.

    • Beginning with Windows 11 version 23H2, you can sign in with your work or school account and click Next. Below More choices, choose Security key and click Next.

      Passwordless security key sign-in - Microsoft Entra ID (4)

    • On earlier versions of Windows, the browser may show the QR pairing screen to register a passkey that's stored on another mobile device. To register a passkey that's stored on a security key instead, insert your security key and touch it to continue.

      Passwordless security key sign-in - Microsoft Entra ID (5)

  7. You're prompted to create or enter a PIN for your security key, then perform the required gesture for the key.

  8. You return to the combined registration experience, where you can provide a meaningful name for the key to identify it easily. Click Next.

  9. Click Done to complete the process.

Sign in with passwordless credential

In this screenshot, a user has already provisioned their FIDO2 security key. The user can choose to sign in on the web with their FIDO2 security key inside of a supported browser on Windows 10 version 1903 or higher.

For more information about browsers and operating systems that support sign in to Microsoft Entra ID with FIDO2 security keys, see Browser support of FIDO2 passwordless authentication.

Passwordless security key sign-in - Microsoft Entra ID (6)

Troubleshooting and feedback

If you'd like to share feedback or encounter issues with this feature, share via the Windows Feedback Hub app using the following steps:

  1. Launch Feedback Hub and make sure you're signed in.
  2. Submit feedback under the following categorization:
    • Category: Security and Privacy
    • Subcategory: FIDO
  3. To capture logs, use the option to Recreate my Problem.

Known issues

Security key provisioning

Administrator provisioning and de-provisioning of security keys isn't available.

UPN changes

If a user's UPN changes, you can no longer modify FIDO2 security keys to account for the change. The solution for a user with a FIDO2 security key is to sign in to MySecurityInfo, delete the old key, and add a new one.

Next steps

FIDO2 security key Windows 10 sign in

Enable FIDO2 authentication to on-premises resources

Learn more about device registration

Learn more about Microsoft Entra multifactor authentication

I am an expert in cybersecurity with a focus on authentication methods and passwordless security. My expertise is grounded in practical knowledge and hands-on experience in implementing and managing security measures for enterprises. I have successfully implemented solutions like FIDO2 security keys to enhance both productivity and security in shared PC environments.

Now, let's delve into the concepts mentioned in the article you provided:

  1. Security Keys and Passwordless Authentication:

    • Security keys offer a seamless way for workers in shared PC environments to authenticate without entering a username or password.
    • They enhance productivity and provide better security compared to traditional password-based authentication.

  2. Requirements for FIDO2 Security Keys:

    • Microsoft Entra multifactor authentication (MFA) is required.
    • Combined security information registration must be enabled.
    • Compatible FIDO2 security keys are necessary.
    • WebAuthN protocol support is required, with specific browser compatibility (Microsoft Edge, Chrome, Firefox, Safari).
    • Windows 10 version 1903 or higher is needed.

  3. Device Preparation:

    • Devices joined to Microsoft Entra ID should ideally run on Windows 10 version 1903 or higher.
    • Hybrid-joined devices must run Windows 10 version 2004 or higher.

  4. Enabling Passwordless Authentication Method:

    • Combined registration experience must be enabled.
    • FIDO2 security key method needs to be configured in the Microsoft Entra admin center.

  5. Optional Settings for FIDO2 Security Keys:

    • Allow self-service setup
    • Enforce attestation setting
    • Key Restriction Policy

  6. Key Restriction Policy:

    • Enforcing key restrictions is optional and is based on the Authenticator Attestation GUID (AAGUID).
    • Changing key restrictions affects the usability of specific FIDO2 methods.

  7. Disabling a FIDO2 Key:

    • Admins can remove a FIDO2 key associated with a user account through the Microsoft Entra admin center.

  8. Authenticator Attestation GUID (AAGUID):

    • A unique identifier indicating the type (make and model) of the security key.
    • Must be identical across keys of the same type from a manufacturer.

  9. User Registration and Management:

    • Users can register FIDO2 security keys through the .
    • The process involves selecting the type of security key (USB or NFC), creating or entering a PIN, and completing the registration.

  10. Troubleshooting and Feedback:

    • Users can provide feedback or report issues through the Windows Feedback Hub app under the Security and Privacy category with a FIDO subcategory.

  11. Known Issues:

    • Security key provisioning by administrators and UPN changes are highlighted as known issues.

  12. Next Steps:

    • Further steps include enabling FIDO2 authentication for Windows 10 sign-in, on-premises resource access, and exploring more about device registration and Microsoft Entra multifactor authentication.

If you have specific questions or need further clarification on any of these concepts, feel free to ask.

Passwordless security key sign-in - Microsoft Entra ID (2024)

FAQs

How to enable passkey in Entra ID? ›

After you log in to the Microsoft 365 Entra portal, in the Identity section, expand Protection, click on Authentication methods, and select FIDO2 security key. On the next page, enable passkeys. You can enable it for all the users or a set of users in a group.

Read On
How to enable passwordless sign in Microsoft Authenticator? ›

I have already setup my authenticator app
  1. Sign in to your Microsoft account Additional security options.
  2. Under Passwordless account, select Turn on.
  3. Follow the prompts to verify your account.
  4. Approve the request sent to your Microsoft Authenticator app.

Discover More Details
What is Microsoft Entra ID in the authenticator app? ›

Microsoft Entra ID lets you choose which authentication methods can be used during the sign-in process. Users then register for the methods they'd like to use.

Continue Reading
Can Microsoft Entra ID passwords be used to log in to Mac? ›

In Apple Business Manager, you can link to Microsoft Entra ID using federated authentication to allow users to sign in to Apple devices with their Microsoft Entra ID user name (generally their email address) and password. As a result, your users can leverage their Microsoft Entra ID credentials as Managed Apple IDs.

See Details
How do I turn on passkey? ›

Set up passkeys
  1. Tap Create a passkey Use another device.
  2. Follow on-screen instructions. You'll be required to insert your hardware security key and enter its PIN or touch the fingerprint sensor on the key.

Find Out More
How do I set up Microsoft passkey? ›

Creating a passkey
  1. Sign in to your Microsoft account Advanced Security Options. Sign in.
  2. Choose Add a new way to sign in or verify.
  3. Select Face, fingerprint, PIN, or security key.
  4. Follow the instructions on your device.
  5. Provide a name for your passkey.

Tell Me More
How do I make my login passwordless? ›

Perform the following steps:
  1. Open terminal/command prompt on your machine. In Linux/Mac, open an application named “Terminal. ...
  2. Generating key-pairs (one-time operation) This is needed if you are doing this the first time! ...
  3. Adding you public key to the server's “authorized_keys” list. ...
  4. Testing Passwordlesss Authentication.

Show Me More
How do I add a secret key to Microsoft Authenticator? ›

Open the Authenticator app, select Add account from the Customize and control icon in the upper-right, select Other account (Google, Facebook, etc.), and then select OR ENTER CODE MANUALLY. Enter an Account name (for example, Facebook) and type the Secret key from Step 1, and then select Finish.

Explore More
How to enable passwordless sign-in Windows 11? ›

In Windows 10 or 11, go to Settings > Accounts > Sign-in options. To use any of the Windows Hello options, you'll need to first set up a PIN if you haven't already done so. Click the option for Windows Hello (PIN) in Windows 10 or PIN (Windows Hello) in Windows 11 and then select Add or Set up.

Continue Reading
How to login to Microsoft Entra ID? ›

To sign in to Microsoft Entra ID, users enter a value that uniquely identifies their account. Historically, you could only use the Microsoft Entra UPN as the sign-in identifier. For organizations where the on-premises UPN is the user's preferred sign-in email, this approach was great.

Show Me More

What are the authentication methods for Entra ID? ›

Authentication methods in Microsoft Entra ID include password and phone (for example, SMS and voice calls), which are manageable in Microsoft Graph today, among many others such as FIDO2 security keys and the Microsoft Authenticator app.

Read The Full Story
What is Microsoft Entra verified ID? ›

Microsoft Entra Verified ID capabilities

Confidently issue and verify identity claims, credentials, and certifications for trustworthy, secure, and efficient interactions between people and organizations.

See Details
Why does Microsoft keep asking me for my keychain password? ›

If your Microsoft Outlook keeps asking for your login keychain password on your Mac, it's usually because Office may have been moved outside of the default /Applications folder, or Office may be having issues accessing the keychain.

Get More Info Here
How do I find my Microsoft keychain password on my Mac? ›

Your login keychain password is normally the same as your user password (the password you use to log in to the computer).

Continue Reading
Why does Mac keep asking for login keychain? ›

Your keychain may be locked automatically if your computer has been inactive for a period of time or your user password and keychain password are out of sync. You can set a length of time that Keychain Access waits before automatically requiring you to enter your password again.

View More
How do I set up an Apple ID passkey? ›

Create a passkey for a new account

To create a passkey, iCloud Keychain must be set up on your Mac. When you see the option to save a passkey for the account, choose how you want to sign in: Touch ID on your Mac: Place your finger on the Touch ID sensor. Scan a QR code with your iPhone or iPad: Click Other Options.

View Details
How do I enable the FIDO2 key? ›

Sign in to the Microsoft Entra admin center as at least an Authentication Policy Administrator. Browse to Protection > Authentication methods > Authentication method policy. Under the method FIDO2 security key, set the toggle to Enable. Select All users or Add groups to select specific groups.

See More
How do I get passkey on my iPhone? ›

Enable Passkeys in the Settings app: Open the Settings app on your Apple device and navigate to "Passwords & Accounts." From there, select "AutoFill Passwords" and enable the "Allow Filling From" option. This will enable Passkeys and allow you to create and manage them.

Learn More
How do I register a new passkey for Beyond Identity? ›

Adding a new Passkey
  1. First, open up the Beyond Identity app. ...
  2. Next, go to Beyond Identity Registration. ...
  3. Authenticate Ping ID on your mobile device.
  4. Then click "Register New Passkey".
  5. In the popup window, checkmark "Always allow" and click "Open Beyond Identity".

Discover More Details
Top Articles
Comparing real estate and infrastructure in a portfolio context - CAIS
Why People Hire Life Coaches - Life Purpose Institute
Foxy Roxxie Coomer
Duralast Gold Cv Axle
Truist Bank Near Here
Is pickleball Betts' next conquest? 'That's my jam'
Chase Bank Operating Hours
Bucks County Job Requisitions
Los Angeles Craigs List
Gwdonate Org
Tracking Your Shipments with Maher Terminal
Shreveport Active 911
Kris Carolla Obituary
2016 Ford Fusion Belt Diagram
Gon Deer Forum
Bitlife Tyrone's
Overton Funeral Home Waterloo Iowa
Driving Directions To Bed Bath & Beyond
Clear Fork Progress Book
라이키 유출
Tygodnik Polityka - Polityka.pl
A Biomass Pyramid Of An Ecosystem Is Shown.Tertiary ConsumersSecondary ConsumersPrimary ConsumersProducersWhich
Georgia Cash 3 Midday-Lottery Results & Winning Numbers
Cpt 90677 Reimbursem*nt 2023
Craigslist Ludington Michigan
Pixel Combat Unblocked
Pfcu Chestnut Street
Metro By T Mobile Sign In
Graphic Look Inside Jeffrey Dresser
Litter-Robot 3 Pinch Contact & DFI Kit
2016 Honda Accord Belt Diagram
Does Iherb Accept Ebt
Synchrony Manage Account
Myql Loan Login
Mcgiftcardmall.con
2008 DODGE RAM diesel for sale - Gladstone, OR - craigslist
Paperless Employee/Kiewit Pay Statements
Anhedönia Last Name Origin
Amc.santa Anita
Strange World Showtimes Near Century Stadium 25 And Xd
Port Huron Newspaper
Tacos Diego Hugoton Ks
Phmc.myloancare.com
Dying Light Mother's Day Roof
Das schönste Comeback des Jahres: Warum die Vengaboys nie wieder gehen dürfen
Mlb Hitting Streak Record Holder Crossword Clue
Random Warzone 2 Loadout Generator
Quest Diagnostics Mt Morris Appointment
Julies Freebies Instant Win
Fallout 76 Fox Locations
Goosetown Communications Guilford Ct
Latest Posts
The Late 1990s Dot-Com Bubble Implodes in 2000
[Solved] Directions: Write the antonym of the word Praise
Article information

Author: Virgilio Hermann JD

Last Updated:

Views: 6380

Rating: 4 / 5 (41 voted)

Reviews: 88% of readers found this page helpful

Author information

Name: Virgilio Hermann JD

Birthday: 1997-12-21

Address: 6946 Schoen Cove, Sipesshire, MO 55944

Phone: +3763365785260

Job: Accounting Engineer

Hobby: Web surfing, Rafting, Dowsing, Stand-up comedy, Ghost hunting, Swimming, Amateur radio

Introduction: My name is Virgilio Hermann JD, I am a fine, gifted, beautiful, encouraging, kind, talented, zealous person who loves writing and wants to share my knowledge and understanding with you.