A device-bound passkey is an advanced security feature implemented in Microsoft Authenticator. It is a unique security key that is tied to a specific device. When a user logs in to their account, they use this key to verify their identity. Since the key is bound to the device, no one else can access the user’s account, even if they know the password, unless they also have access to the device.

This technology provides a strong authentication method that is both cost-effective and user-friendly. Here are some advantages:

  • Phishing-Resistant: Device-bound passkeys are phishing-resistant
  • Device-Bound: The passkey doesn’t leave the device on which it was created
  • Cost-Effective: Microsoft Authenticator device-bound passkey come at no additional cost
  • No More Passwords: With passkeys, users don’t have to remember complex passwords
  • Ease of Use: The passkey is easy to use. Once set up, users just need to unlock their device and approve the notification

With this technology, users can effectively protect their digital identities and navigate securely in the digital world. It represents a significant step toward a safer digital future.

This article outlines the necessary configuration steps to rollout the Microsoft Authenticator device-bound passkey and create a passkey for a user.

At the time of publishing this article, Microsoft Authenticator device-bound passkey is still in the preview phase. The article will be continuously updated.

Table of contents hide
1 Prerequisites and Licensing
1.1 Licenses
1.2 User account
1.3 Devices
2 Enable passkey (FIDO2) authentication method
3 Set up Microsoft Authenticator device-bound passkey
3.1 Prepare Apple iPhone
3.2 Set up passkey for Apple iPhone
4 Sign in with device-bound passkey
5 Troubleshooting
5.1 Passkey setup gets stuck
5.1.1 Solution
5.2 Delete passkey
5.2.1 Delete passkey with access to device
5.2.2 Delete passkey without access to device

Prerequisites and Licensing

Licenses

For the use of Microsoft Authenticator device-bound passkey, no paid license is required. A license from Microsoft Entra ID Free is sufficient. This license is part of every Microsoft tenant.

User account

The user account that sets up the passkey is configured for multi-factor authentication.

Devices

Enable passkey (FIDO2) authentication method

The Passkey (FIDO2) authentication method is configured in the Microsoft Entra admin center.

Sign in to the Microsoft Entra admin center (https://entra.microsoft.com/) > Protection > Authentication methods > Policies and select FIDO2 security key.

Microsoft Entra I Authentication methods Policies

In the Enable and Target tab, toggle the Enable switch and select All Users.
If necessary, you can also add individual security groups.

Passkey FIDO2 Enable and Target

In the Configure tab, the following options can be set:

Allow self-service set up
This option must be enabled for users to set up the Microsoft Authenticator device-bound passkey.

Enforce attestation
This option ensures that security keys adhere to FIDO Alliance Metadata.
Note that the preview for Microsoft Authenticator device-bound passkey does not support this feature and should be disabled.

Enforce key restriction
This option must be enabled for using Microsoft Authenticator device-bound passkey during the preview phase.

Restrict specific keys
Add the following AAGUIDs:
Authenticator for iOS: 90a3ccdf-635c-4729-a248-9b709135078f
Authenticator for Android: de1e552d-db1d-4423-a619-566b625cdc84

Good to know:
If FIDO2 security keys are already in use and no restriction has been configured, the AAGUIDs of the FIDO2 security keys already in use should be added here.
YubiKey hardware FIDO2 AAGUIDs can be found here:
YubiKey Hardware FIDO2 AAGUIDs – Yubico

Passkey FIDO2 Settings

Click Save and then users can set up device-bound passkeys in Microsoft Authenticator.

Authentication methods policies
Sponsored Links

Set up Microsoft Authenticator device-bound passkey

Every user sets up the Microsoft Authenticator device-bound passkey independently. This guide explains how to set up a Microsoft Authenticator device-bound passkey for an Apple iPhone.

Prepare Apple iPhone

Install the latest version of Microsoft Authenticator on Apple iOS 17 or later.

 On the Apple iPhone, the following options must be configured under Settings > Passwords > Password Options:

  1. Enable AutoFill Passwords and Passkeys
  2. Use passwords and passkeys from: Authenticator
Apple iOS Password Options

Once the Apple iPhone is prepared, the passkey can be set up.

Set up passkey for Apple iPhone

The user sign in at https://aka.ms/mysecurityinfo and clicks on Security info > Add sign-in method.

Security info - add sign-in method

Select Passkey in Microsoft Authenticator and click on Add.

Passkey in Microsoft Authenticator (preview)

Click Next

Add a passkey for more secure sign-in (preview)

Select iPhone or iPad

Choose Mobile OS

Passkey support for Microsoft Authenticator has already been enabled and can be confirmed with Continue.

iOS AutoFill Passwords and Passkeys Continue

Click Next to set up the passkey.

iOS QR-Scanner

If necessary, select Microsoft Authenticator and click I understand.

Choose Microsoft Authenticator

Select iPhone, iPad or Android device.

iPhone, iPad or Android Device

Scan QR code
Important: Scan this QR code with the Apple iPhone Camera app, not with “Scan QR code” from the Microsoft Authenticator app.

Scan QR-Code

Continue with setting up the passkey on the Apple iPhone.

Device connected

Click Continue on the Apple iPhone and set up the passkey with it.

Security Info Save Passkey

The passkey has now been successfully set up on the Apple iPhone.

Passkey saved

Enter a friendly name for better identification of the passkey.

Passkey friendly name

The passkey has now been successfully set up and can be used.

Security info

Sign in with device-bound passkey

In services from Microsoft Azure, Microsoft 365, or Enterprise applications with Microsoft Entra ID authentication, select the Sign-in options.

Sign-in options

Select Face, fingerprint, PIN or security key

Face fingerprint PIN or security key

Select iPhone, iPad or Android device

iPhone iPad or Android device

Scan the QR code with camera.

QR-Code Sign-In

Confirm the sign in on the mobile by clicking Continue.
If multiple passkeys are stored in Microsoft Authenticator, the user account can be selected.

Choose Account

The sign-in with the Microsoft Authenticator device-bound passkey has been successfully completed.

Security Info

Troubleshooting

Passkey setup gets stuck

When setting up the Micosoft Authenticator device-bound passkey, the following message appears in the loop after clicking on I understand:

On your mobile device, when asked to create a passkey, choose Microsoft Authenticator.

Passkey Loop

Solution

The AAGUIDs for Microsoft Authenticator were not entered in the authentication methods of Microsoft Entra. Click here for the instructions.

Delete passkey

Delete passkey with access to device

Open Microsoft Authenticator and select the passkey to be deleted.

Authenticator App Passkey

Click Delete

Authenticator App Delete Passkey

Select Visit link and sign in.

Authenticator App Visit link

The security information is shown.
Select the passkey and delete it from the user account with Remove.

Security Info Remove Passkey
Delete passkey without access to device

If there is no longer access to the device with the Microsoft Authenticator device-bound passkey, the passkey can be removed from the personal security information.
Sign in to https://aka.ms/mysecurityinfo > Security info > passkey > Delete

Security Info Remove Passkey

Follow me on LinkedIn to always stay updated on my recent posts.

Follow on LinkedIn

Was this post helpful to you? Show your enthusiasm with the delightful aroma of a freshly brewed coffee for me!

Buy me a coffee

Sponsored Links