Passwordless security key sign-in - Microsoft Entra ID (2024)

Table of Contents
In this article Requirements Prepare devices Enable passwordless authentication method Enable the combined registration experience Enable FIDO2 security key method FIDO Security Key optional settings Disable a key Security key Authenticator Attestation GUID (AAGUID) User registration and management of FIDO2 security keys Sign in with passwordless credential Troubleshooting and feedback Known issues Security key provisioning UPN changes Next steps FAQs
  • Article

For enterprises that use passwords today and have a shared PC environment, security keys provide a seamless way for workers to authenticate without entering a username or password. Security keys provide improved productivity for workers, and have better security.

This document focuses on enabling security key based passwordless authentication. At the end of this article, you'll be able to sign in to web-based applications with your Microsoft Entra account using a FIDO2 security key.

Requirements

  • Microsoft Entra multifactor authentication (MFA)
  • Enable Combined security information registration
  • Compatible FIDO2 security keys
  • WebAuthN requires Windows 10 version 1903 or higher

To use security keys for logging in to web apps and services, you must have a browser that supports the WebAuthN protocol.These include Microsoft Edge, Chrome, Firefox, and Safari. For more information, see Browser support of FIDO2 passwordless authentication.

Prepare devices

For devices that are joined to Microsoft Entra ID, the best experience is on Windows 10 version 1903 or higher.

Hybrid-joined devices must run Windows 10 version 2004 or higher.

Enable passwordless authentication method

Enable the combined registration experience

Registration features for passwordless authentication methods rely on the combined registration feature. Follow the steps in the article Enable combined security information registration, to enable combined registration.

Enable FIDO2 security key method

Tip

Steps in this article might vary slightly based on the portal you start from.

  1. Sign in to the Microsoft Entra admin center as at least an Authentication Policy Administrator.

  2. Browse to Protection > Authentication methods > Authentication method policy.

  3. Under the method FIDO2 Security Key, click All users, or click Add groups to select specific groups. Only security groups are supported.

  4. Save the configuration.

    Note

    If you see an error when you try to save, the cause might be due to the number of users or groups being added. As a workaround, replace the users and groups you are trying to add with a single group, in the same operation, and then click Save again.

    See Also
    Works With YubiKey CatalogFido vs Koodo vs Virgin Plus: Which Carrier is Best for You?Discover YubiKeys | Strong Two-Factor Authentication for Secure LoginTOKEN2 Sàrl is a Swiss cybersecurity company specialized in the area of multifactor authentication. We are a FIDO Alliance member.

FIDO Security Key optional settings

There are some optional settings on the Configure tab to help manage how security keys can be used for sign-in.

Passwordless security key sign-in - Microsoft Entra ID (1)

  • Allow self-service set up should remain set to Yes. If set to no, your users won't be able to register a FIDO key through MySecurityInfo, even if enabled by Authentication Methods policy.
  • Enforce attestation setting to Yes requires the FIDO security key metadata to be published and verified with the FIDO Alliance Metadata Service, and also pass Microsoft's additional set of validation testing. For more information, see What is a Microsoft-compatible security key?

Key Restriction Policy

  • Enforce key restrictions should be set to Yes only if your organization wants to only allow or disallow certain FIDO security keys, which are identified by their Authenticator Attestation GUID (AAGUID). You can work with your security key provider to determine the AAGUID of a device. If the key is already registered, you can find the AAGUID by viewing the authentication method details of the key for the user.

    Warning

    Key restrictions set the usability of specific FIDO2 methods for both registration and authentication. If you change key restrictions and remove an AAGUID that you previously allowed, users who previously registered an allowed method can no longer use it for sign-in.

Disable a key

To remove a FIDO2 key associated with a user account, delete the key from the user’s authentication method.

  1. Sign in to the Microsoft Entra admin center and search for the user account from which the FIDO key is to be removed.

  2. Select Authentication methods > right-click FIDO2 security key and click Delete.

    Passwordless security key sign-in - Microsoft Entra ID (2)

Security key Authenticator Attestation GUID (AAGUID)

The FIDO2 specification requires each security key provider to provide an Authenticator Attestation GUID (AAGUID) during attestation. An AAGUID is a 128-bit identifier indicating the key type, such as the make and model.

Note

The manufacturer must ensure that the AAGUID is identical across all substantially identical keys made by that manufacturer, and different (with high probability) from the AAGUIDs of all other types of keys. To ensure, the AAGUID for a given type of security key should be randomly generated. For more information, see Web Authentication: An API for accessing Public Key Credentials - Level 2 (w3.org).

There are two ways to get your AAGUID. You can either ask your security key provider or view the authentication method details of the key per user.

Passwordless security key sign-in - Microsoft Entra ID (3)

User registration and management of FIDO2 security keys

  1. Browse to https://myprofile.microsoft.com.

    See Also
    Still Using Passwords? Get Started with Phishing-Resistant, Passwordless Authentication Now!

  2. Sign in if not already.

  3. Click Security info.

    1. If you already have at least one MFA method registered, you can immediately register a FIDO2 security key.
    2. If you don't have at least one MFA method registered, you must add one.
    3. An Authentication Policy Administrator can also issue a Temporary Access Pass to allow a user to register a passwordless authentication method.

  4. To add a FIDO2 security key, click Add method, and choose Security key.

  5. Choose USB device or NFC device.

  6. Have your key ready and choose Next. If you're using Chrome or Edge, the browser might prioritize registration of a passkey that's stored on a mobile device over a passkey that's stored on a security key.

    • Beginning with Windows 11 version 23H2, you can sign in with your work or school account and click Next. Below More choices, choose Security key and click Next.

      Passwordless security key sign-in - Microsoft Entra ID (4)

    • On earlier versions of Windows, the browser may show the QR pairing screen to register a passkey that's stored on another mobile device. To register a passkey that's stored on a security key instead, insert your security key and touch it to continue.

      Passwordless security key sign-in - Microsoft Entra ID (5)

  7. You're prompted to create or enter a PIN for your security key, then perform the required gesture for the key.

  8. You return to the combined registration experience, where you can provide a meaningful name for the key to identify it easily. Click Next.

  9. Click Done to complete the process.

Sign in with passwordless credential

In this screenshot, a user has already provisioned their FIDO2 security key. The user can choose to sign in on the web with their FIDO2 security key inside of a supported browser on Windows 10 version 1903 or higher.

For more information about browsers and operating systems that support sign in to Microsoft Entra ID with FIDO2 security keys, see Browser support of FIDO2 passwordless authentication.

Passwordless security key sign-in - Microsoft Entra ID (6)

Troubleshooting and feedback

If you'd like to share feedback or encounter issues with this feature, share via the Windows Feedback Hub app using the following steps:

  1. Launch Feedback Hub and make sure you're signed in.
  2. Submit feedback under the following categorization:
    • Category: Security and Privacy
    • Subcategory: FIDO
  3. To capture logs, use the option to Recreate my Problem.

Known issues

Security key provisioning

Administrator provisioning and de-provisioning of security keys isn't available.

UPN changes

If a user's UPN changes, you can no longer modify FIDO2 security keys to account for the change. The solution for a user with a FIDO2 security key is to sign in to MySecurityInfo, delete the old key, and add a new one.

Next steps

FIDO2 security key Windows 10 sign in

Enable FIDO2 authentication to on-premises resources

Learn more about device registration

Learn more about Microsoft Entra multifactor authentication

I am an expert in cybersecurity with a focus on authentication methods and passwordless security. My expertise is grounded in practical knowledge and hands-on experience in implementing and managing security measures for enterprises. I have successfully implemented solutions like FIDO2 security keys to enhance both productivity and security in shared PC environments.

Now, let's delve into the concepts mentioned in the article you provided:

  1. Security Keys and Passwordless Authentication:

    • Security keys offer a seamless way for workers in shared PC environments to authenticate without entering a username or password.
    • They enhance productivity and provide better security compared to traditional password-based authentication.

  2. Requirements for FIDO2 Security Keys:

    • Microsoft Entra multifactor authentication (MFA) is required.
    • Combined security information registration must be enabled.
    • Compatible FIDO2 security keys are necessary.
    • WebAuthN protocol support is required, with specific browser compatibility (Microsoft Edge, Chrome, Firefox, Safari).
    • Windows 10 version 1903 or higher is needed.

  3. Device Preparation:

    • Devices joined to Microsoft Entra ID should ideally run on Windows 10 version 1903 or higher.
    • Hybrid-joined devices must run Windows 10 version 2004 or higher.

  4. Enabling Passwordless Authentication Method:

    • Combined registration experience must be enabled.
    • FIDO2 security key method needs to be configured in the Microsoft Entra admin center.

  5. Optional Settings for FIDO2 Security Keys:

    • Allow self-service setup
    • Enforce attestation setting
    • Key Restriction Policy

  6. Key Restriction Policy:

    • Enforcing key restrictions is optional and is based on the Authenticator Attestation GUID (AAGUID).
    • Changing key restrictions affects the usability of specific FIDO2 methods.

  7. Disabling a FIDO2 Key:

    • Admins can remove a FIDO2 key associated with a user account through the Microsoft Entra admin center.

  8. Authenticator Attestation GUID (AAGUID):

    • A unique identifier indicating the type (make and model) of the security key.
    • Must be identical across keys of the same type from a manufacturer.

  9. User Registration and Management:

    • Users can register FIDO2 security keys through the .
    • The process involves selecting the type of security key (USB or NFC), creating or entering a PIN, and completing the registration.

  10. Troubleshooting and Feedback:

    • Users can provide feedback or report issues through the Windows Feedback Hub app under the Security and Privacy category with a FIDO subcategory.

  11. Known Issues:

    • Security key provisioning by administrators and UPN changes are highlighted as known issues.

  12. Next Steps:

    • Further steps include enabling FIDO2 authentication for Windows 10 sign-in, on-premises resource access, and exploring more about device registration and Microsoft Entra multifactor authentication.

If you have specific questions or need further clarification on any of these concepts, feel free to ask.

Passwordless security key sign-in - Microsoft Entra ID (2024)

FAQs

How to enable passkey in Entra ID? ›

After you log in to the Microsoft 365 Entra portal, in the Identity section, expand Protection, click on Authentication methods, and select FIDO2 security key. On the next page, enable passkeys. You can enable it for all the users or a set of users in a group.

Read On
How to enable passwordless sign in Microsoft Authenticator? ›

I have already setup my authenticator app
  1. Sign in to your Microsoft account Additional security options.
  2. Under Passwordless account, select Turn on.
  3. Follow the prompts to verify your account.
  4. Approve the request sent to your Microsoft Authenticator app.

Discover More Details
What is Microsoft Entra ID in the authenticator app? ›

Microsoft Entra ID lets you choose which authentication methods can be used during the sign-in process. Users then register for the methods they'd like to use.

Continue Reading
Can Microsoft Entra ID passwords be used to log in to Mac? ›

In Apple Business Manager, you can link to Microsoft Entra ID using federated authentication to allow users to sign in to Apple devices with their Microsoft Entra ID user name (generally their email address) and password. As a result, your users can leverage their Microsoft Entra ID credentials as Managed Apple IDs.

See Details
How do I turn on passkey? ›

Set up passkeys
  1. Tap Create a passkey Use another device.
  2. Follow on-screen instructions. You'll be required to insert your hardware security key and enter its PIN or touch the fingerprint sensor on the key.

Find Out More
How do I set up Microsoft passkey? ›

Creating a passkey
  1. Sign in to your Microsoft account Advanced Security Options. Sign in.
  2. Choose Add a new way to sign in or verify.
  3. Select Face, fingerprint, PIN, or security key.
  4. Follow the instructions on your device.
  5. Provide a name for your passkey.

Tell Me More
How do I make my login passwordless? ›

Perform the following steps:
  1. Open terminal/command prompt on your machine. In Linux/Mac, open an application named “Terminal. ...
  2. Generating key-pairs (one-time operation) This is needed if you are doing this the first time! ...
  3. Adding you public key to the server's “authorized_keys” list. ...
  4. Testing Passwordlesss Authentication.

Show Me More
How do I add a secret key to Microsoft Authenticator? ›

Open the Authenticator app, select Add account from the Customize and control icon in the upper-right, select Other account (Google, Facebook, etc.), and then select OR ENTER CODE MANUALLY. Enter an Account name (for example, Facebook) and type the Secret key from Step 1, and then select Finish.

Explore More
How to enable passwordless sign-in Windows 11? ›

In Windows 10 or 11, go to Settings > Accounts > Sign-in options. To use any of the Windows Hello options, you'll need to first set up a PIN if you haven't already done so. Click the option for Windows Hello (PIN) in Windows 10 or PIN (Windows Hello) in Windows 11 and then select Add or Set up.

Continue Reading
How to login to Microsoft Entra ID? ›

To sign in to Microsoft Entra ID, users enter a value that uniquely identifies their account. Historically, you could only use the Microsoft Entra UPN as the sign-in identifier. For organizations where the on-premises UPN is the user's preferred sign-in email, this approach was great.

Show Me More

What are the authentication methods for Entra ID? ›

Authentication methods in Microsoft Entra ID include password and phone (for example, SMS and voice calls), which are manageable in Microsoft Graph today, among many others such as FIDO2 security keys and the Microsoft Authenticator app.

Read The Full Story
What is Microsoft Entra verified ID? ›

Microsoft Entra Verified ID capabilities

Confidently issue and verify identity claims, credentials, and certifications for trustworthy, secure, and efficient interactions between people and organizations.

See Details
Why does Microsoft keep asking me for my keychain password? ›

If your Microsoft Outlook keeps asking for your login keychain password on your Mac, it's usually because Office may have been moved outside of the default /Applications folder, or Office may be having issues accessing the keychain.

Get More Info Here
How do I find my Microsoft keychain password on my Mac? ›

Your login keychain password is normally the same as your user password (the password you use to log in to the computer).

Continue Reading
Why does Mac keep asking for login keychain? ›

Your keychain may be locked automatically if your computer has been inactive for a period of time or your user password and keychain password are out of sync. You can set a length of time that Keychain Access waits before automatically requiring you to enter your password again.

View More
How do I set up an Apple ID passkey? ›

Create a passkey for a new account

To create a passkey, iCloud Keychain must be set up on your Mac. When you see the option to save a passkey for the account, choose how you want to sign in: Touch ID on your Mac: Place your finger on the Touch ID sensor. Scan a QR code with your iPhone or iPad: Click Other Options.

View Details
How do I enable the FIDO2 key? ›

Sign in to the Microsoft Entra admin center as at least an Authentication Policy Administrator. Browse to Protection > Authentication methods > Authentication method policy. Under the method FIDO2 security key, set the toggle to Enable. Select All users or Add groups to select specific groups.

See More
How do I get passkey on my iPhone? ›

Enable Passkeys in the Settings app: Open the Settings app on your Apple device and navigate to "Passwords & Accounts." From there, select "AutoFill Passwords" and enable the "Allow Filling From" option. This will enable Passkeys and allow you to create and manage them.

Learn More
How do I register a new passkey for Beyond Identity? ›

Adding a new Passkey
  1. First, open up the Beyond Identity app. ...
  2. Next, go to Beyond Identity Registration. ...
  3. Authenticate Ping ID on your mobile device.
  4. Then click "Register New Passkey".
  5. In the popup window, checkmark "Always allow" and click "Open Beyond Identity".

Discover More Details
Top Articles
Timing Solutions for Swing Traders: A Novel Approach to Successful Trading Using Technical Analysis and Financial Astrology
Astrology’s ‘money houses’ reveal your potential for financial success
Exclusive: Baby Alien Fan Bus Leaked - Get the Inside Scoop! - Nick Lachey
Www.1Tamilmv.cafe
Part time Jobs in El Paso; Texas that pay $15, $25, $30, $40, $50, $60 an hour online
Dee Dee Blanchard Crime Scene Photos
How To Get Free Credits On Smartjailmail
Flights to Miami (MIA)
Category: Star Wars: Galaxy of Heroes | EA Forums
123 Movies Black Adam
Catsweb Tx State
How to watch free movies online
General Info for Parents
Funny Marco Birth Chart
Think Up Elar Level 5 Answer Key Pdf
Sand Castle Parents Guide
Jayah And Kimora Phone Number
Everything you need to know about Costco Travel (and why I love it) - The Points Guy
Glenda Mitchell Law Firm: Law Firm Profile
Sea To Dallas Google Flights
Canvasdiscount Black Friday Deals
Cookie Clicker Advanced Method Unblocked
Obituaries Milwaukee Journal Sentinel
Trivago Myrtle Beach Hotels
California Online Traffic School
Belledelphine Telegram
Kimoriiii Fansly
27 Modern Dining Room Ideas You'll Want to Try ASAP
8002905511
Xxn Abbreviation List 2023
Obituaries, 2001 | El Paso County, TXGenWeb
5 Star Rated Nail Salons Near Me
47 Orchid Varieties: Different Types of Orchids (With Pictures)
Watchdocumentaries Gun Mayhem 2
Clark County Ky Busted Newspaper
Santa Cruz California Craigslist
Craigslist Georgia Homes For Sale By Owner
Are you ready for some football? Zag Alum Justin Lange Forges Career in NFL
19 Best Seafood Restaurants in San Antonio - The Texas Tasty
Pensacola Cars Craigslist
Www Craigslist Com Brooklyn
The best bagels in NYC, according to a New Yorker
Chathuram Movie Download
Why Are The French So Google Feud Answers
Citizens Bank Park - Clio
Streameast Io Soccer
Willkommen an der Uni Würzburg | WueStart
Cvs Coit And Alpha
Movie Hax
Oefenpakket & Hoorcolleges Diagnostiek | WorldSupporter
CPM Homework Help
Ihop Deliver
Latest Posts
Indian Stock Market Astrology Predictions for Year 2023 - Times of India
Who Was W.D. Gann?
Article information

Author: Virgilio Hermann JD

Last Updated:

Views: 6380

Rating: 4 / 5 (41 voted)

Reviews: 88% of readers found this page helpful

Author information

Name: Virgilio Hermann JD

Birthday: 1997-12-21

Address: 6946 Schoen Cove, Sipesshire, MO 55944

Phone: +3763365785260

Job: Accounting Engineer

Hobby: Web surfing, Rafting, Dowsing, Stand-up comedy, Ghost hunting, Swimming, Amateur radio

Introduction: My name is Virgilio Hermann JD, I am a fine, gifted, beautiful, encouraging, kind, talented, zealous person who loves writing and wants to share my knowledge and understanding with you.