Passwordless security key sign-in - Microsoft Entra ID (2024)

Table of Contents
In this article Requirements Prepare devices Enable passwordless authentication method Enable the combined registration experience Enable FIDO2 security key method FIDO Security Key optional settings Disable a key Security key Authenticator Attestation GUID (AAGUID) User registration and management of FIDO2 security keys Sign in with passwordless credential Troubleshooting and feedback Known issues Security key provisioning UPN changes Next steps FAQs
  • Article

For enterprises that use passwords today and have a shared PC environment, security keys provide a seamless way for workers to authenticate without entering a username or password. Security keys provide improved productivity for workers, and have better security.

This document focuses on enabling security key based passwordless authentication. At the end of this article, you'll be able to sign in to web-based applications with your Microsoft Entra account using a FIDO2 security key.

Requirements

  • Microsoft Entra multifactor authentication (MFA)
  • Enable Combined security information registration
  • Compatible FIDO2 security keys
  • WebAuthN requires Windows 10 version 1903 or higher

To use security keys for logging in to web apps and services, you must have a browser that supports the WebAuthN protocol.These include Microsoft Edge, Chrome, Firefox, and Safari. For more information, see Browser support of FIDO2 passwordless authentication.

Prepare devices

For devices that are joined to Microsoft Entra ID, the best experience is on Windows 10 version 1903 or higher.

Hybrid-joined devices must run Windows 10 version 2004 or higher.

Enable passwordless authentication method

Enable the combined registration experience

Registration features for passwordless authentication methods rely on the combined registration feature. Follow the steps in the article Enable combined security information registration, to enable combined registration.

Enable FIDO2 security key method

Tip

Steps in this article might vary slightly based on the portal you start from.

  1. Sign in to the Microsoft Entra admin center as at least an Authentication Policy Administrator.

  2. Browse to Protection > Authentication methods > Authentication method policy.

  3. Under the method FIDO2 Security Key, click All users, or click Add groups to select specific groups. Only security groups are supported.

  4. Save the configuration.

    Note

    If you see an error when you try to save, the cause might be due to the number of users or groups being added. As a workaround, replace the users and groups you are trying to add with a single group, in the same operation, and then click Save again.

    See Also
    Works With YubiKey CatalogFido vs Koodo vs Virgin Plus: Which Carrier is Best for You?Discover YubiKeys | Strong Two-Factor Authentication for Secure LoginTOKEN2 Sàrl is a Swiss cybersecurity company specialized in the area of multifactor authentication. We are a FIDO Alliance member.

FIDO Security Key optional settings

There are some optional settings on the Configure tab to help manage how security keys can be used for sign-in.

Passwordless security key sign-in - Microsoft Entra ID (1)

  • Allow self-service set up should remain set to Yes. If set to no, your users won't be able to register a FIDO key through MySecurityInfo, even if enabled by Authentication Methods policy.
  • Enforce attestation setting to Yes requires the FIDO security key metadata to be published and verified with the FIDO Alliance Metadata Service, and also pass Microsoft's additional set of validation testing. For more information, see What is a Microsoft-compatible security key?

Key Restriction Policy

  • Enforce key restrictions should be set to Yes only if your organization wants to only allow or disallow certain FIDO security keys, which are identified by their Authenticator Attestation GUID (AAGUID). You can work with your security key provider to determine the AAGUID of a device. If the key is already registered, you can find the AAGUID by viewing the authentication method details of the key for the user.

    Warning

    Key restrictions set the usability of specific FIDO2 methods for both registration and authentication. If you change key restrictions and remove an AAGUID that you previously allowed, users who previously registered an allowed method can no longer use it for sign-in.

Disable a key

To remove a FIDO2 key associated with a user account, delete the key from the user’s authentication method.

  1. Sign in to the Microsoft Entra admin center and search for the user account from which the FIDO key is to be removed.

  2. Select Authentication methods > right-click FIDO2 security key and click Delete.

    Passwordless security key sign-in - Microsoft Entra ID (2)

Security key Authenticator Attestation GUID (AAGUID)

The FIDO2 specification requires each security key provider to provide an Authenticator Attestation GUID (AAGUID) during attestation. An AAGUID is a 128-bit identifier indicating the key type, such as the make and model.

Note

The manufacturer must ensure that the AAGUID is identical across all substantially identical keys made by that manufacturer, and different (with high probability) from the AAGUIDs of all other types of keys. To ensure, the AAGUID for a given type of security key should be randomly generated. For more information, see Web Authentication: An API for accessing Public Key Credentials - Level 2 (w3.org).

There are two ways to get your AAGUID. You can either ask your security key provider or view the authentication method details of the key per user.

Passwordless security key sign-in - Microsoft Entra ID (3)

User registration and management of FIDO2 security keys

  1. Browse to https://myprofile.microsoft.com.

    See Also
    Still Using Passwords? Get Started with Phishing-Resistant, Passwordless Authentication Now!

  2. Sign in if not already.

  3. Click Security info.

    1. If you already have at least one MFA method registered, you can immediately register a FIDO2 security key.
    2. If you don't have at least one MFA method registered, you must add one.
    3. An Authentication Policy Administrator can also issue a Temporary Access Pass to allow a user to register a passwordless authentication method.

  4. To add a FIDO2 security key, click Add method, and choose Security key.

  5. Choose USB device or NFC device.

  6. Have your key ready and choose Next. If you're using Chrome or Edge, the browser might prioritize registration of a passkey that's stored on a mobile device over a passkey that's stored on a security key.

    • Beginning with Windows 11 version 23H2, you can sign in with your work or school account and click Next. Below More choices, choose Security key and click Next.

      Passwordless security key sign-in - Microsoft Entra ID (4)

    • On earlier versions of Windows, the browser may show the QR pairing screen to register a passkey that's stored on another mobile device. To register a passkey that's stored on a security key instead, insert your security key and touch it to continue.

      Passwordless security key sign-in - Microsoft Entra ID (5)

  7. You're prompted to create or enter a PIN for your security key, then perform the required gesture for the key.

  8. You return to the combined registration experience, where you can provide a meaningful name for the key to identify it easily. Click Next.

  9. Click Done to complete the process.

Sign in with passwordless credential

In this screenshot, a user has already provisioned their FIDO2 security key. The user can choose to sign in on the web with their FIDO2 security key inside of a supported browser on Windows 10 version 1903 or higher.

For more information about browsers and operating systems that support sign in to Microsoft Entra ID with FIDO2 security keys, see Browser support of FIDO2 passwordless authentication.

Passwordless security key sign-in - Microsoft Entra ID (6)

Troubleshooting and feedback

If you'd like to share feedback or encounter issues with this feature, share via the Windows Feedback Hub app using the following steps:

  1. Launch Feedback Hub and make sure you're signed in.
  2. Submit feedback under the following categorization:
    • Category: Security and Privacy
    • Subcategory: FIDO
  3. To capture logs, use the option to Recreate my Problem.

Known issues

Security key provisioning

Administrator provisioning and de-provisioning of security keys isn't available.

UPN changes

If a user's UPN changes, you can no longer modify FIDO2 security keys to account for the change. The solution for a user with a FIDO2 security key is to sign in to MySecurityInfo, delete the old key, and add a new one.

Next steps

FIDO2 security key Windows 10 sign in

Enable FIDO2 authentication to on-premises resources

Learn more about device registration

Learn more about Microsoft Entra multifactor authentication

I am an expert in cybersecurity with a focus on authentication methods and passwordless security. My expertise is grounded in practical knowledge and hands-on experience in implementing and managing security measures for enterprises. I have successfully implemented solutions like FIDO2 security keys to enhance both productivity and security in shared PC environments.

Now, let's delve into the concepts mentioned in the article you provided:

  1. Security Keys and Passwordless Authentication:

    • Security keys offer a seamless way for workers in shared PC environments to authenticate without entering a username or password.
    • They enhance productivity and provide better security compared to traditional password-based authentication.

  2. Requirements for FIDO2 Security Keys:

    • Microsoft Entra multifactor authentication (MFA) is required.
    • Combined security information registration must be enabled.
    • Compatible FIDO2 security keys are necessary.
    • WebAuthN protocol support is required, with specific browser compatibility (Microsoft Edge, Chrome, Firefox, Safari).
    • Windows 10 version 1903 or higher is needed.

  3. Device Preparation:

    • Devices joined to Microsoft Entra ID should ideally run on Windows 10 version 1903 or higher.
    • Hybrid-joined devices must run Windows 10 version 2004 or higher.

  4. Enabling Passwordless Authentication Method:

    • Combined registration experience must be enabled.
    • FIDO2 security key method needs to be configured in the Microsoft Entra admin center.

  5. Optional Settings for FIDO2 Security Keys:

    • Allow self-service setup
    • Enforce attestation setting
    • Key Restriction Policy

  6. Key Restriction Policy:

    • Enforcing key restrictions is optional and is based on the Authenticator Attestation GUID (AAGUID).
    • Changing key restrictions affects the usability of specific FIDO2 methods.

  7. Disabling a FIDO2 Key:

    • Admins can remove a FIDO2 key associated with a user account through the Microsoft Entra admin center.

  8. Authenticator Attestation GUID (AAGUID):

    • A unique identifier indicating the type (make and model) of the security key.
    • Must be identical across keys of the same type from a manufacturer.

  9. User Registration and Management:

    • Users can register FIDO2 security keys through the .
    • The process involves selecting the type of security key (USB or NFC), creating or entering a PIN, and completing the registration.

  10. Troubleshooting and Feedback:

    • Users can provide feedback or report issues through the Windows Feedback Hub app under the Security and Privacy category with a FIDO subcategory.

  11. Known Issues:

    • Security key provisioning by administrators and UPN changes are highlighted as known issues.

  12. Next Steps:

    • Further steps include enabling FIDO2 authentication for Windows 10 sign-in, on-premises resource access, and exploring more about device registration and Microsoft Entra multifactor authentication.

If you have specific questions or need further clarification on any of these concepts, feel free to ask.

Passwordless security key sign-in - Microsoft Entra ID (2024)

FAQs

How to enable passkey in Entra ID? ›

After you log in to the Microsoft 365 Entra portal, in the Identity section, expand Protection, click on Authentication methods, and select FIDO2 security key. On the next page, enable passkeys. You can enable it for all the users or a set of users in a group.

Read On
How to enable passwordless sign in Microsoft Authenticator? ›

I have already setup my authenticator app
  1. Sign in to your Microsoft account Additional security options.
  2. Under Passwordless account, select Turn on.
  3. Follow the prompts to verify your account.
  4. Approve the request sent to your Microsoft Authenticator app.

Discover More Details
What is Microsoft Entra ID in the authenticator app? ›

Microsoft Entra ID lets you choose which authentication methods can be used during the sign-in process. Users then register for the methods they'd like to use.

Continue Reading
Can Microsoft Entra ID passwords be used to log in to Mac? ›

In Apple Business Manager, you can link to Microsoft Entra ID using federated authentication to allow users to sign in to Apple devices with their Microsoft Entra ID user name (generally their email address) and password. As a result, your users can leverage their Microsoft Entra ID credentials as Managed Apple IDs.

See Details
How do I turn on passkey? ›

Set up passkeys
  1. Tap Create a passkey Use another device.
  2. Follow on-screen instructions. You'll be required to insert your hardware security key and enter its PIN or touch the fingerprint sensor on the key.

Find Out More
How do I set up Microsoft passkey? ›

Creating a passkey
  1. Sign in to your Microsoft account Advanced Security Options. Sign in.
  2. Choose Add a new way to sign in or verify.
  3. Select Face, fingerprint, PIN, or security key.
  4. Follow the instructions on your device.
  5. Provide a name for your passkey.

Tell Me More
How do I make my login passwordless? ›

Perform the following steps:
  1. Open terminal/command prompt on your machine. In Linux/Mac, open an application named “Terminal. ...
  2. Generating key-pairs (one-time operation) This is needed if you are doing this the first time! ...
  3. Adding you public key to the server's “authorized_keys” list. ...
  4. Testing Passwordlesss Authentication.

Show Me More
How do I add a secret key to Microsoft Authenticator? ›

Open the Authenticator app, select Add account from the Customize and control icon in the upper-right, select Other account (Google, Facebook, etc.), and then select OR ENTER CODE MANUALLY. Enter an Account name (for example, Facebook) and type the Secret key from Step 1, and then select Finish.

Explore More
How to enable passwordless sign-in Windows 11? ›

In Windows 10 or 11, go to Settings > Accounts > Sign-in options. To use any of the Windows Hello options, you'll need to first set up a PIN if you haven't already done so. Click the option for Windows Hello (PIN) in Windows 10 or PIN (Windows Hello) in Windows 11 and then select Add or Set up.

Continue Reading
How to login to Microsoft Entra ID? ›

To sign in to Microsoft Entra ID, users enter a value that uniquely identifies their account. Historically, you could only use the Microsoft Entra UPN as the sign-in identifier. For organizations where the on-premises UPN is the user's preferred sign-in email, this approach was great.

Show Me More

What are the authentication methods for Entra ID? ›

Authentication methods in Microsoft Entra ID include password and phone (for example, SMS and voice calls), which are manageable in Microsoft Graph today, among many others such as FIDO2 security keys and the Microsoft Authenticator app.

Read The Full Story
What is Microsoft Entra verified ID? ›

Microsoft Entra Verified ID capabilities

Confidently issue and verify identity claims, credentials, and certifications for trustworthy, secure, and efficient interactions between people and organizations.

See Details
Why does Microsoft keep asking me for my keychain password? ›

If your Microsoft Outlook keeps asking for your login keychain password on your Mac, it's usually because Office may have been moved outside of the default /Applications folder, or Office may be having issues accessing the keychain.

Get More Info Here
How do I find my Microsoft keychain password on my Mac? ›

Your login keychain password is normally the same as your user password (the password you use to log in to the computer).

Continue Reading
Why does Mac keep asking for login keychain? ›

Your keychain may be locked automatically if your computer has been inactive for a period of time or your user password and keychain password are out of sync. You can set a length of time that Keychain Access waits before automatically requiring you to enter your password again.

View More
How do I set up an Apple ID passkey? ›

Create a passkey for a new account

To create a passkey, iCloud Keychain must be set up on your Mac. When you see the option to save a passkey for the account, choose how you want to sign in: Touch ID on your Mac: Place your finger on the Touch ID sensor. Scan a QR code with your iPhone or iPad: Click Other Options.

View Details
How do I enable the FIDO2 key? ›

Sign in to the Microsoft Entra admin center as at least an Authentication Policy Administrator. Browse to Protection > Authentication methods > Authentication method policy. Under the method FIDO2 security key, set the toggle to Enable. Select All users or Add groups to select specific groups.

See More
How do I get passkey on my iPhone? ›

Enable Passkeys in the Settings app: Open the Settings app on your Apple device and navigate to "Passwords & Accounts." From there, select "AutoFill Passwords" and enable the "Allow Filling From" option. This will enable Passkeys and allow you to create and manage them.

Learn More
How do I register a new passkey for Beyond Identity? ›

Adding a new Passkey
  1. First, open up the Beyond Identity app. ...
  2. Next, go to Beyond Identity Registration. ...
  3. Authenticate Ping ID on your mobile device.
  4. Then click "Register New Passkey".
  5. In the popup window, checkmark "Always allow" and click "Open Beyond Identity".

Discover More Details
Top Articles
The New Technology Add-on Payment (NTAP) Program: What Life Sciences Companies Should Know About Medicare's Time-Limited Program in 2024
LCM of 4 and 5 | How to Find LCM of 4 and 5
Duralast Gold Cv Axle
Www.paystubportal.com/7-11 Login
Hotels Near 625 Smith Avenue Nashville Tn 37203
Identifont Upload
80 For Brady Showtimes Near Marcus Point Cinema
Bustle Daily Horoscope
Truist Drive Through Hours
Amateur Lesbian Spanking
South Ms Farm Trader
Erin Kate Dolan Twitter
Help with Choosing Parts
Dallas’ 10 Best Dressed Women Turn Out for Crystal Charity Ball Event at Neiman Marcus
Colts Snap Counts
Christina Khalil Forum
Condogames Xyz Discord
Roster Resource Orioles
Yakimacraigslist
Daylight Matt And Kim Lyrics
Morristown Daily Record Obituary
Caledonia - a simple love song to Scotland
kvoa.com | News 4 Tucson
Myql Loan Login
Craigslist Lake Charles
Sam's Club Gas Price Hilliard
Finding Safety Data Sheets
Tokyo Spa Memphis Reviews
Dhs Clio Rd Flint Mi Phone Number
Lindy Kendra Scott Obituary
Winterset Rants And Raves
Lininii
Abga Gestation Calculator
Craigslist Albany Ny Garage Sales
Free Robux Without Downloading Apps
Metro By T Mobile Sign In
Banana Republic Rewards Login
Anya Banerjee Feet
Final Jeopardy July 25 2023
PruittHealth hiring Certified Nursing Assistant - Third Shift in Augusta, GA | LinkedIn
Yakini Q Sj Photos
Sechrest Davis Funeral Home High Point Nc
Darkglass Electronics The Exponent 500 Test
N33.Ultipro
Stitch And Angel Tattoo Black And White
The Bold and the Beautiful
Nope 123Movies Full
Joy Taylor Nip Slip
Runescape Death Guard
Epower Raley's
Law Students
E. 81 St. Deli Menu
Latest Posts
Value of 1885-CC Morgan Dollar | Rare Silver Dollar Buyers
Types of Business Transactions in Accounting
Article information

Author: Virgilio Hermann JD

Last Updated:

Views: 6380

Rating: 4 / 5 (41 voted)

Reviews: 88% of readers found this page helpful

Author information

Name: Virgilio Hermann JD

Birthday: 1997-12-21

Address: 6946 Schoen Cove, Sipesshire, MO 55944

Phone: +3763365785260

Job: Accounting Engineer

Hobby: Web surfing, Rafting, Dowsing, Stand-up comedy, Ghost hunting, Swimming, Amateur radio

Introduction: My name is Virgilio Hermann JD, I am a fine, gifted, beautiful, encouraging, kind, talented, zealous person who loves writing and wants to share my knowledge and understanding with you.