Passwordless security key sign (preview) - Azure Active Directory
Enable passwordless security key sign-in to Azure AD using FIDO2 security keys (preview)
Enable passwordless security key sign in (preview)
For enterprises that use passwords today and have a shared PC environment, security keys provide a seamless way for workers to authenticate without entering a username or password. Security keys provide improved productivity for workers, and have better security.
This document focuses on enabling security key based passwordless authentication. At the end of this article, you will be able to sign in to web-based applications with your Azure AD account using a FIDO2 security key.
- Azure Multi-Factor Authentication
- Combined security information registration preview
- Compatible FIDO2 security keys
- WebAuthN requires Windows 10 version 1809 or higher**
To use security keys for logging in to web apps and services, you must have a browser that supports the WebAuthN protocol. These include Microsoft Edge, Chrome, Firefox, and Safari.
Prepare devices for preview
Devices that you will be piloting with must be running Windows 10 version 1809 or higher. The best experience is on Windows 10 version 1903 or higher.
Enable passwordless authentication method
Enable the combined registration experience
Registration features for passwordless authentication methods rely on the combined registration preview. Follow the steps in the article Enable combined security information registration (preview), to enable the combined registration preview.
Enable FIDO2 security key method
- Sign in to the Azure portal.
- Browse to Azure Active Directory > Security > Authentication methods > Authentication method policy (Preview).
- Under the method FIDO2 Security Key, choose the following options:
- Enable - Yes or No
- Target - All users or Select users
- Save the configuration.
User registration and management of FIDO2 security keys
- Browse to https://myprofile.microsoft.com.
- Sign in if not already.
- Click Security Info.
- If the user already has at least one Azure Multi-Factor Authentication method registered, they can immediately register a FIDO2 security key.
- If they don’t have at least one Azure Multi-Factor Authentication method registered, they must add one.
- Add a FIDO2 Security key by clicking Add method and choosing Security key.
- Choose USB device or NFC device.
- Have your key ready and choose Next.
- A box will appear and ask the user to create/enter a PIN for your security key, then perform the required gesture for the key, either biometric or touch.
- The user will be returned to the combined registration experience and asked to provide a meaningful name for the key so the user can identify which one if they have multiple. Click Next.
- Click Done to complete the process.
Sign in with passwordless credential
In the example below a user has already provisioned their FIDO2 security key. The user can choose to sign in on the web with their FIDO2 security key inside of a supported browser on Windows 10 version 1809 or higher.
Troubleshooting and feedback
If you would like to share feedback or encounter issues while previewing this feature, please share via the Windows Feedback Hub app.
- Launch Feedback Hub and make sure you're signed in.
- Submit feedback under the following categorization:
- Category: Security and Privacy
- Subcategory: FIDO
- To capture logs, use the option: Recreate my Problem
Security key provisioning
Administrator provisioning and de-provisioning of security keys is not available in the public preview.
If a user’s UPN changes, you can no longer modify FIDO2 security keys to account for the change. The resolution is to reset the device and the user has to re-register their FIDO2 security keys.