EN 
 
www.SAMURAJ-cz.com 
30.11.2025 Ondřej WELCOME IN MY WORLD
 
 
Petr Bouška
SAMURAJ-cz.com
IT Manager OKsystem
Veeam Vanguard
View profile

This website is originally written in the Czech language. Most content is machine (AI) translated into English. The translation may not be exact and may contain errors.

Tento článek si můžete zobrazit v originální české verzi. You can view this article in the original Czech version.
FIDO passkeys část 4 - použití přístupových klíčů v Microsoft Authenticator

FIDO passkeys part 4 - using passkeys in Microsoft Authenticator

| Petr Bouška - Samuraj |
Passkeys are generally available in Microsoft Entra ID starting in early 2025. Currently, you can use Device-bound passkeys stored on a FIDO2 security key or in the Microsoft Authenticator app (Windows Hello is not mentioned much). In this article, we will show you how users can create and use passkeys in the Microsoft Authenticator app. Passkeys are a modern and more secure replacement for traditional passwords. They allow you to log in without entering a password using multi-factor authentication. They work with an asymmetric cryptographic key pair.
displayed: 7 185x (2 114 CZ, 5 071 EN) | Comments [1]

Introduction

In previous parts of the series, we described passkeys in theoretical terms. We covered their use on the Windows and Android platforms. The use for Google accounts and personal Microsoft accounts. And also within Microsoft Entra ID, how it worked a year ago when the Public Preview was released.

In today's article, we will focus on how users can work with passkeys in the Microsoft Authenticator application in connection with their work account in Microsoft Entra ID. We will demonstrate practically how the entire process works on the Windows platform and in the mobile application Authenticator for Android.

What are passkeys

  • password replacement with more secure user verification
  • discoverable FIDO2 (WebAuthn) credentials
  • phishing-resistant passwordless multi-factor authentication
  • PIN or biometrics are used for user verification (never leave the device), which serve to access the private key that is used for digital signature of data (which is sent to the service and authenticates the user)

Using passkeys in Microsoft Authenticator

It is important to understand that a passkey stored in the Microsoft Authenticator application (on Android or iOS) is device bound. We can use it to sign in on this mobile device. Or, under certain conditions, on another device within range (Cross-Device Authentication, like a laptop with Windows).

The devices need to be able to communicate via Bluetooth. This limits the use of this method on most workstations (which are not usually equipped with Bluetooth). For our Windows work computer, it may be easier to use Windows Hello for Business, which is a passkey stored locally on the computer.

Enabling authentication using passkey (FIDO2) in Entra ID

Note: Only the brief introductory information is aimed at Entra ID administrators.

The authentication method Passkey (FIDO2) must be enabled and configured to use passkeys in Microsoft Authenticator. The method name has already been changed from the original FIDO2 security key. The Microsoft Authenticator application on Android and iOS is already attested, so we can turn on Enforce attestation. It is no longer necessary to use Enforce key restrictions and specify AAGUID for Authenticator.

Enabling and configuring Passkey (FIDO2)

  • Microsoft Entra admin center - Protection - Authentication methods - Policies
  • select the Passkey (FIDO2) method
  • enable it and select either all users (All users) or only selected users using Security Groups (Select groups)
  • switch to Configure
  • set Allow self-service set up to Yes, so users can register passkeys
  • set Enforce attestation to Yes
  • set Enforce key restrictions to No (we can enable it and select only Microsoft Authenticator or certain FIDO2 Security keys)
  • save changes (Save)
Microsoft Entra admin center - Passkey (FIDO2)

Entra ID authentication using passkey (FIDO2) in Microsoft Authenticator

Requirements

Support for FIDO2 security key is available in Windows 10 from version 1903 (in case of Microsoft Entra Joined). For Microsoft Entra Hybrid Joined, we need at least Windows 10 2004. Sign-in using passkey in Microsoft Authenticator (FIDO Cross-Device Authentication) requires Windows 11 23H2 (or support in the web browser).

To be able to sign in on a computer using a passkey on a mobile device (Microsoft Authenticator), Bluetooth must be enabled (functioning) on both devices. And the Authenticator application must be set as an additional provider for passkeys. This is supported only from Android 14 and iOS 17.

Setting up the Authenticator app as a passkey provider

To be able to use the Microsoft Authenticator application in the mobile operating system for authentication using passkeys, it is first necessary to set it up as a passkey provider.

Settings for Android

  • open settings (Settings app)
  • Passwords & Accounts
  • in the Additional providers section, enable Authenticator

On my Xiaomi 13 phone with HyperOS, this item is not present in the menu (and cannot even be searched for). A year ago, I only tested on other phones. About 2 months ago, an update to the Authenticator app came and it displayed information that I did not have the setting active. The button opened that setting for me, which I couldn't find in the system.

Authenticator Android - passkey provider

Settings for iOS

  • open settings (Settings app)
  • open Passwords and select Password Options
  • Autofill Passwords and Passkeys must be enabled
  • in the Use Passwords and Passkeys From section, enable Authenticator

Registering a passkey in the Microsoft Authenticator app

There are many options for registering (creating) a passkey, but the easiest method is to create it directly on an Android or iOS device in the Microsoft Authenticator app. We can do this when adding a new account to Authenticator (described in the previous part) or add it to an existing account (described below).

  • Microsoft Authenticator
  • open our account and click on Create a passkey
  • for verification, we need to Sign in (using one of the available methods)
Authenticator Android - Create a passkey 1
  • to create a passkey, we use the screen lock
Authenticator Android - Create a passkey 2

Other registration options

  • on a mobile device in a browser on the My Security Info page
  • cross-device registration, using a browser on a computer (My Security Info), which connects via Bluetooth with a mobile device; to use this method, attestation must be disabled; when adding Passkey in Microsoft Authenticator, select Having trouble

Authentication methods management

Users manage their authentication methods via the web, within their account under Security Info. A passkey in My Security Info is marked with a passkey icon and the name Passkey (device bound) with the method listed as Microsoft Authenticator. The device is shown as Authenticator: Default Profile Android device.

Microsoft Security Info - Passkey (device bound)

Signing in to a work account using a passkey in Authenticator

Note: Current information for certain situations is described here. Other options, and some more details, can be found in previous parts of the series. For example in FIDO passkeys part 2 - practical use of passkeys on Windows and Android. It's an older article, but many things still apply.

Local passkey on Android device

Signing in on an Android device using a local passkey. The exact process varies depending on the device and browser. Firefox, which worked well for me in previous tests, does not offer the passkey option at all now. Chrome works well.

  • enter your email address (it may be stored and offered) or click on Sign-in options to use without a username
  • select the option Face, fingerprint, PIN or security key
  • an available passkey is offered (if you have multiple, then a selection), continue with the Continue button
  • use the screen lock (fingerprint, face scan, PIN) to access the passkey and you will be signed in
Android Sign-in local passkey

Signing in to a Windows device using an external passkey on an Android device

This is known as Cross-device authentication, where we sign in using a passkey stored on a mobile device. The computer and phone (or perhaps two phones) must be equipped with Bluetooth and must be able to establish a connection. They don't need to be paired with each other; a temporary Bluetooth connection is made automatically. On the Windows device, Bluetooth must be active (it must not be disabled or we must not be logged in to the computer via RDP). On the Android device, Bluetooth can be turned off, but we will be prompted to turn it on.

  • enter your email address (it may be stored and offered) or click on Sign-in options to use without a username
  • select the option Face, fingerprint, PIN or security key
Přihlášení pomocí passkey k Microsoft účtu bez zadání jména
  • select the option iPhone, iPad, or Android device
  • a (WebAuthn) QR code is displayed
Windows - Sign-in passkey - iPhone, iPad, or Android device
  • on the mobile device, open Microsoft Authenticator (in some cases, we can use the phone's camera directly or Google Lens)
  • in the bottom right corner, click on the icon for scanning a QR code
  • information appears that we should only connect to trusted devices, and an option to save the connection between these devices (so that you don't need to scan the QR code for future sign-ins), click on Connect devices
Authenticator Android - Scan QR Code
  • information appears on the computer that the devices are connected
Windows - Sign-in passkey - Device connected
  • an available passkey is offered (if you have multiple, then a selection), continue with the Continue button
  • use the screen lock (fingerprint, face scan, PIN) to access the passkey and you will be signed in
Android Sign-in passkey

Saved connection between devices

If we checked remember connection during the previous sign-in, then the linked device was saved in Windows. We can find it in the registry HKEY_USERS\S-1-5-20\Software\Microsoft\Cryptography\FIDO\(Account SID)\LinkedDevices. The sign-in process is then simpler.

  • select the option Face, fingerprint, PIN or security key
  • select the saved mobile device (in this case Xiaomi 13)
  • information appears that a notification has been sent to the device
Windows - Sign-in passkey - linked device
  • a connection notification pops up on the phone
Android Sign-in passkey - Connect devices
  • continue with the standard Connect devices, passkey selection, use of screen lock

Computer without Bluetooth

If we try to sign in using a passkey on a computer that is not equipped with Bluetooth, the option iPhone, iPad, or Android device will not be offered. Generally, options that are available on the given computer are offered. In the example below, these are FIDO2 Security key and Windows Hello (This Windows device).

Windows - Sign-in passkey - Security key, Windows Hello

Signing in to Remote Desktop using a passkey

When we connect using Remote Desktop Connection (mstsc.exe) to a remote computer that is Microsoft Entra Hybrid Joined or Microsoft Entra Joined, we can use Entra ID authentication, including passkeys (FIDO2).

We must enter the remote computer address as a DNS name (FQDN) and on the Advanced tab, check the option Use a web account to sign in to the remote computer.

Remote Desktop Connection s FIDO2 - Use a web account to sign in

More information can be found in an older article Remote Desktop - connecting to a remote desktop.

Using passkeys on Remote Desktop

Remote Desktop Connection supports redirecting Web Authentication to the remote session. This makes it possible to use a FIDO2 security key connected to the local device, Windows Hello, or even an external passkey stored on an Android device that connects to the local computer via Bluetooth when connecting to a remote computer.

In the remote connection settings on the Local Resources tab, Local devices and resource button More, the option WebAuthn (Windows Hello or security keys) must be checked.

Remote Desktop Connection přesměrování WebAuthn (passkey)
Author:

Related articles:

FIDO Authentication

FIDO authentication is based on the FIDO2 standard (WebAuthn and CTAP2). It brings a more secure option to log in to online services. It belongs to Passwordless MFA (multi-factor authentication without a password). At the same time, it increases the convenience of users (it supports the use of biometrics). These are, for example, Windows Hello for Business, FIDO2 security key and generally passkeys (access keys).

Azure AD / Entra ID identity and authentication

Articles related to user and device identity (not only) in Microsoft Entra ID. Different login and authentication options. Areas such as modern authentication, multi-factor authentication, password-less login, etc. Often involving the use of FIDO Authentication, for example using the FIDO2 security key or Windows Hello for Business.

If you want write something about this article use comments.

Comments
  1. [1] Khalil ur Rehman

    Hi Petr Bouška,

    Thank you for this — it’s a masterpiece and an excellent article. It was extremely helpful in understanding and implementing passwordless authentication with the Microsoft Authenticator app.

    Wednesday, 15.10.2025 17:17 | answer
Add comment

Insert tag: strong em link

Help:
  • maximum length of comment is 2000 characters
  • HTML tags are not allowed (they will be removed), you can use only the special tags listed above the input field
  • new line (ENTER) ends paragraph and start new one
  • when you respond to a comment, put the original comment number in squar brackets at the beginning of the paragraph (line)