Enable passwordless security key sign-in (preview)
For enterprises that use passwords today and have a shared PC environment, security keys provide a seamless way for workers to authenticate without entering a username or password. Security keys provide improved productivity for workers, and have better security.
This document focuses on enabling security key based passwordless authentication. At the end of this article, you will be able to sign in to web-based applications with your Azure AD account using a FIDO2 security key.
- Azure AD Multi-Factor Authentication
- Enable Combined security information registration preview
- Compatible FIDO2 security keys
- WebAuthN requires Windows 10 version 1903 or higher**
To use security keys for logging in to web apps and services, you must have a browser that supports the WebAuthN protocol. These include Microsoft Edge, Chrome, Firefox, and Safari.
Prepare devices for preview
For Azure AD joined devices the best experience is on Windows 10 version 1903 or higher.
Hybrid Azure AD joined devices must run Windows 10 version 2004 or higher.
Enable passwordless authentication method
Enable the combined registration experience
Registration features for passwordless authentication methods rely on the combined registration feature. Follow the steps in the article Enable combined security information registration (preview), to enable combined registration.
Enable FIDO2 security key method
- Sign in to the Azure portal.
- Browse to Azure Active Directory > Security > Authentication methods > Authentication method policy (Preview).
- Under the method FIDO2 Security Key, choose the following options:
- Enable - Yes or No
- Target - All users or Select users
- Save the configuration.
User registration and management of FIDO2 security keys
- Browse to https://myprofile.microsoft.com.
- Sign in if not already.
- Click Security Info.
- If the user already has at least one Azure AD Multi-Factor Authentication method registered, they can immediately register a FIDO2 security key.
- If they don't have at least one Azure AD Multi-Factor Authentication method registered, they must add one.
- Add a FIDO2 Security key by clicking Add method and choosing Security key.
- Choose USB device or NFC device.
- Have your key ready and choose Next.
- A box will appear and ask the user to create/enter a PIN for your security key, then perform the required gesture for the key, either biometric or touch.
- The user will be returned to the combined registration experience and asked to provide a meaningful name for the key so the user can identify which one if they have multiple. Click Next.
- Click Done to complete the process.
Sign in with passwordless credential
In the example below a user has already provisioned their FIDO2 security key. The user can choose to sign in on the web with their FIDO2 security key inside of a supported browser on Windows 10 version 1903 or higher.
Troubleshooting and feedback
If you'd like to share feedback or encounter issues while previewing this feature, share via the Windows Feedback Hub app using the following steps:
- Launch Feedback Hub and make sure you're signed in.
- Submit feedback under the following categorization:
- Category: Security and Privacy
- Subcategory: FIDO
- To capture logs, use the option to Recreate my Problem
Security key provisioning
Administrator provisioning and de-provisioning of security keys is not available in the public preview.
We are working on supporting a feature that allows UPN change on hybrid Azure AD joined and Azure AD joined devices. If a user's UPN changes, you can no longer modify FIDO2 security keys to account for the change. The resolution is to reset the device and the user has to re-register.