Enable passwordless security key sign in (preview)

For enterprises that use passwords today and have a shared PC environment, security keys provide a seamless way for workers to authenticate without entering a username or password. Security keys provide improved productivity for workers, and have better security.

This document focuses on enabling security key based passwordless authentication. At the end of this article, you will be able to sign in to web-based applications with your Azure AD account using a FIDO2 security key.

FIDO2 security keys are a public preview feature of Azure Active Directory. For more information about previews, see Supplemental Terms of Use for Microsoft Azure Previews

Requirements

To use security keys for logging in to web apps and services, you must have a browser that supports the WebAuthN protocol. These include Microsoft Edge, Chrome, Firefox, and Safari.

Prepare devices for preview

Devices that you will be piloting with must be running Windows 10 version 1809 or higher. The best experience is on Windows 10 version 1903 or higher.

Enable passwordless authentication method

Enable the combined registration experience

Registration features for passwordless authentication methods rely on the combined registration preview. Follow the steps in the article Enable combined security information registration (preview), to enable the combined registration preview.

Enable FIDO2 security key method

  1. Sign in to the Azure portal.
  2. Browse to Azure Active Directory > Security > Authentication methods > Authentication method policy (Preview).
  3. Under the method FIDO2 Security Key, choose the following options:
    1. Enable - Yes or No
    2. Target - All users or Select users
  4. Save the configuration.

User registration and management of FIDO2 security keys

  1. Browse to https://myprofile.microsoft.com.
  2. Sign in if not already.
  3. Click Security Info.
    1. If the user already has at least one Azure Multi-Factor Authentication method registered, they can immediately register a FIDO2 security key.
    2. If they don’t have at least one Azure Multi-Factor Authentication method registered, they must add one.
  4. Add a FIDO2 Security key by clicking Add method and choosing Security key.
  5. Choose USB device or NFC device.
  6. Have your key ready and choose Next.
  7. A box will appear and ask the user to create/enter a PIN for your security key, then perform the required gesture for the key, either biometric or touch.
  8. The user will be returned to the combined registration experience and asked to provide a meaningful name for the key so the user can identify which one if they have multiple. Click Next.
  9. Click Done to complete the process.

Sign in with passwordless credential

In the example below a user has already provisioned their FIDO2 security key. The user can choose to sign in on the web with their FIDO2 security key inside of a supported browser on Windows 10 version 1809 or higher.

Security key sign-in Microsoft Edge

Troubleshooting and feedback

If you would like to share feedback or encounter issues while previewing this feature, please share via the Windows Feedback Hub app.

  1. Launch Feedback Hub and make sure you're signed in.
  2. Submit feedback under the following categorization:
    1. Category: Security and Privacy
    2. Subcategory: FIDO
  3. To capture logs, use the option: Recreate my Problem

Known issues

Security key provisioning

Administrator provisioning and de-provisioning of security keys is not available in the public preview.

UPN changes

If a user’s UPN changes, you can no longer modify FIDO2 security keys to account for the change. The resolution is to reset the device and the user has to re-register their FIDO2 security keys.

Next steps

FIDO2 security key Windows 10 sign in

Enable FIDO2 authentication to on-premises resources

Learn more about device registration

Learn more about Azure Multi-Factor Authentication