Passwordless security key sign-in - Microsoft Entra ID (2024)

Table of Contents
In this article Requirements Prepare devices Enable passwordless authentication method Enable the combined registration experience Enable FIDO2 security key method FIDO Security Key optional settings Disable a key Security key Authenticator Attestation GUID (AAGUID) User registration and management of FIDO2 security keys Sign in with passwordless credential Troubleshooting and feedback Known issues Security key provisioning UPN changes Next steps
  • Article

For enterprises that use passwords today and have a shared PC environment, security keys provide a seamless way for workers to authenticate without entering a username or password. Security keys provide improved productivity for workers, and have better security.

This document focuses on enabling security key based passwordless authentication. At the end of this article, you'll be able to sign in to web-based applications with your Microsoft Entra account using a FIDO2 security key.

Requirements

  • Microsoft Entra multifactor authentication (MFA)
  • Enable Combined security information registration
  • Compatible FIDO2 security keys
  • WebAuthN requires Windows 10 version 1903 or higher

To use security keys for logging in to web apps and services, you must have a browser that supports the WebAuthN protocol.These include Microsoft Edge, Chrome, Firefox, and Safari. For more information, see Browser support of FIDO2 passwordless authentication.

Prepare devices

For devices that are joined to Microsoft Entra ID, the best experience is on Windows 10 version 1903 or higher.

Hybrid-joined devices must run Windows 10 version 2004 or higher.

Enable passwordless authentication method

Enable the combined registration experience

Registration features for passwordless authentication methods rely on the combined registration feature. Follow the steps in the article Enable combined security information registration, to enable combined registration.

Enable FIDO2 security key method

Tip

Steps in this article might vary slightly based on the portal you start from.

  1. Sign in to the Microsoft Entra admin center as at least an Authentication Policy Administrator.

  2. Browse to Protection > Authentication methods > Authentication method policy.

  3. Under the method FIDO2 Security Key, click All users, or click Add groups to select specific groups. Only security groups are supported.

  4. Save the configuration.

    Note

    If you see an error when you try to save, the cause might be due to the number of users or groups being added. As a workaround, replace the users and groups you are trying to add with a single group, in the same operation, and then click Save again.

    See Also
    Fido vs Koodo vs Virgin Plus: Which Carrier is Best for You?Works With YubiKey CatalogU.S State uses YubiKey to Protect VotersTOKEN2 Sàrl is a Swiss cybersecurity company specialized in the area of multifactor authentication. We are a FIDO Alliance member.

FIDO Security Key optional settings

There are some optional settings on the Configure tab to help manage how security keys can be used for sign-in.

Passwordless security key sign-in - Microsoft Entra ID (1)

  • Allow self-service set up should remain set to Yes. If set to no, your users won't be able to register a FIDO key through MySecurityInfo, even if enabled by Authentication Methods policy.
  • Enforce attestation setting to Yes requires the FIDO security key metadata to be published and verified with the FIDO Alliance Metadata Service, and also pass Microsoft's additional set of validation testing. For more information, see What is a Microsoft-compatible security key?

Key Restriction Policy

  • Enforce key restrictions should be set to Yes only if your organization wants to only allow or disallow certain FIDO security keys, which are identified by their Authenticator Attestation GUID (AAGUID). You can work with your security key provider to determine the AAGUID of a device. If the key is already registered, you can find the AAGUID by viewing the authentication method details of the key for the user.

    Warning

    Key restrictions set the usability of specific FIDO2 methods for both registration and authentication. If you change key restrictions and remove an AAGUID that you previously allowed, users who previously registered an allowed method can no longer use it for sign-in.

Disable a key

To remove a FIDO2 key associated with a user account, delete the key from the user’s authentication method.

  1. Sign in to the Microsoft Entra admin center and search for the user account from which the FIDO key is to be removed.

  2. Select Authentication methods > right-click FIDO2 security key and click Delete.

    Passwordless security key sign-in - Microsoft Entra ID (2)

Security key Authenticator Attestation GUID (AAGUID)

The FIDO2 specification requires each security key provider to provide an Authenticator Attestation GUID (AAGUID) during attestation. An AAGUID is a 128-bit identifier indicating the key type, such as the make and model.

Note

The manufacturer must ensure that the AAGUID is identical across all substantially identical keys made by that manufacturer, and different (with high probability) from the AAGUIDs of all other types of keys. To ensure, the AAGUID for a given type of security key should be randomly generated. For more information, see Web Authentication: An API for accessing Public Key Credentials - Level 2 (w3.org).

There are two ways to get your AAGUID. You can either ask your security key provider or view the authentication method details of the key per user.

Passwordless security key sign-in - Microsoft Entra ID (3)

User registration and management of FIDO2 security keys

  1. Browse to https://myprofile.microsoft.com.

    See Also
    Discover YubiKeys | Strong Two-Factor Authentication for Secure Login

  2. Sign in if not already.

  3. Click Security info.

    1. If you already have at least one MFA method registered, you can immediately register a FIDO2 security key.
    2. If you don't have at least one MFA method registered, you must add one.
    3. An Authentication Policy Administrator can also issue a Temporary Access Pass to allow a user to register a passwordless authentication method.

  4. To add a FIDO2 security key, click Add method, and choose Security key.

  5. Choose USB device or NFC device.

  6. Have your key ready and choose Next. If you're using Chrome or Edge, the browser might prioritize registration of a passkey that's stored on a mobile device over a passkey that's stored on a security key.

    • Beginning with Windows 11 version 23H2, you can sign in with your work or school account and click Next. Below More choices, choose Security key and click Next.

      Passwordless security key sign-in - Microsoft Entra ID (4)

    • On earlier versions of Windows, the browser may show the QR pairing screen to register a passkey that's stored on another mobile device. To register a passkey that's stored on a security key instead, insert your security key and touch it to continue.

      Passwordless security key sign-in - Microsoft Entra ID (5)

  7. You're prompted to create or enter a PIN for your security key, then perform the required gesture for the key.

  8. You return to the combined registration experience, where you can provide a meaningful name for the key to identify it easily. Click Next.

  9. Click Done to complete the process.

Sign in with passwordless credential

In this screenshot, a user has already provisioned their FIDO2 security key. The user can choose to sign in on the web with their FIDO2 security key inside of a supported browser on Windows 10 version 1903 or higher.

For more information about browsers and operating systems that support sign in to Microsoft Entra ID with FIDO2 security keys, see Browser support of FIDO2 passwordless authentication.

Passwordless security key sign-in - Microsoft Entra ID (6)

Troubleshooting and feedback

If you'd like to share feedback or encounter issues with this feature, share via the Windows Feedback Hub app using the following steps:

  1. Launch Feedback Hub and make sure you're signed in.
  2. Submit feedback under the following categorization:
    • Category: Security and Privacy
    • Subcategory: FIDO
  3. To capture logs, use the option to Recreate my Problem.

Known issues

Security key provisioning

Administrator provisioning and de-provisioning of security keys isn't available.

UPN changes

If a user's UPN changes, you can no longer modify FIDO2 security keys to account for the change. The solution for a user with a FIDO2 security key is to sign in to MySecurityInfo, delete the old key, and add a new one.

Next steps

FIDO2 security key Windows 10 sign in

Enable FIDO2 authentication to on-premises resources

Learn more about device registration

Learn more about Microsoft Entra multifactor authentication

I am an expert in cybersecurity with a focus on authentication methods and passwordless security. My expertise is grounded in practical knowledge and hands-on experience in implementing and managing security measures for enterprises. I have successfully implemented solutions like FIDO2 security keys to enhance both productivity and security in shared PC environments.

Now, let's delve into the concepts mentioned in the article you provided:

  1. Security Keys and Passwordless Authentication:

    • Security keys offer a seamless way for workers in shared PC environments to authenticate without entering a username or password.
    • They enhance productivity and provide better security compared to traditional password-based authentication.

  2. Requirements for FIDO2 Security Keys:

    • Microsoft Entra multifactor authentication (MFA) is required.
    • Combined security information registration must be enabled.
    • Compatible FIDO2 security keys are necessary.
    • WebAuthN protocol support is required, with specific browser compatibility (Microsoft Edge, Chrome, Firefox, Safari).
    • Windows 10 version 1903 or higher is needed.

  3. Device Preparation:

    • Devices joined to Microsoft Entra ID should ideally run on Windows 10 version 1903 or higher.
    • Hybrid-joined devices must run Windows 10 version 2004 or higher.

  4. Enabling Passwordless Authentication Method:

    • Combined registration experience must be enabled.
    • FIDO2 security key method needs to be configured in the Microsoft Entra admin center.

  5. Optional Settings for FIDO2 Security Keys:

    • Allow self-service setup
    • Enforce attestation setting
    • Key Restriction Policy

  6. Key Restriction Policy:

    • Enforcing key restrictions is optional and is based on the Authenticator Attestation GUID (AAGUID).
    • Changing key restrictions affects the usability of specific FIDO2 methods.

  7. Disabling a FIDO2 Key:

    • Admins can remove a FIDO2 key associated with a user account through the Microsoft Entra admin center.

  8. Authenticator Attestation GUID (AAGUID):

    • A unique identifier indicating the type (make and model) of the security key.
    • Must be identical across keys of the same type from a manufacturer.

  9. User Registration and Management:

    • Users can register FIDO2 security keys through the .
    • The process involves selecting the type of security key (USB or NFC), creating or entering a PIN, and completing the registration.

  10. Troubleshooting and Feedback:

    • Users can provide feedback or report issues through the Windows Feedback Hub app under the Security and Privacy category with a FIDO subcategory.

  11. Known Issues:

    • Security key provisioning by administrators and UPN changes are highlighted as known issues.

  12. Next Steps:

    • Further steps include enabling FIDO2 authentication for Windows 10 sign-in, on-premises resource access, and exploring more about device registration and Microsoft Entra multifactor authentication.

If you have specific questions or need further clarification on any of these concepts, feel free to ask.

Passwordless security key sign-in - Microsoft Entra ID (2024)
Top Articles
Renters Insurance: Why You Need It and How to Get It
13 Ways to Simplify Your Finances
Game of Thrones' Maisie Williams: 'I'm still petrified of my peers'
This week in KDE: all about those apps
Latest Posts
How to Save on Car Insurance: Smart Ways to Lower Your Rate - NerdWallet
How to Get Umbrella Insurance Policy in NYC - Smart Apple
Article information

Author: Virgilio Hermann JD

Last Updated:

Views: 6380

Rating: 4 / 5 (41 voted)

Reviews: 88% of readers found this page helpful

Author information

Name: Virgilio Hermann JD

Birthday: 1997-12-21

Address: 6946 Schoen Cove, Sipesshire, MO 55944

Phone: +3763365785260

Job: Accounting Engineer

Hobby: Web surfing, Rafting, Dowsing, Stand-up comedy, Ghost hunting, Swimming, Amateur radio

Introduction: My name is Virgilio Hermann JD, I am a fine, gifted, beautiful, encouraging, kind, talented, zealous person who loves writing and wants to share my knowledge and understanding with you.