I am passionate about implementing strong authentication methods. This blog post will explore the new Entra ID Passkey in Authenticator, now in public preview.
Table Of Contents
Why Care For Passkey In Authenticator?
I’ve been using different types of FIDO2 keys for a long time to keep my accounts as secure as possible. I’ve tested various options, like USB keyrings, biometric keys, and even smartcard-sized FIDO keys, all of which I’ve documented in earlier blog posts.
Simon does Hack Your Security with One Trick: Strong Authentication
Simon does The Secret Weapon for Strong Authentication: FIDO Keys with Biometrics
Simon does FIDO2 Magic: Using the Offpad with Microsoft 365
These keys provide excellent security in my day-to-day work across different tenants. They also simplify things by eliminating the need to manage multiple passwords. In my experience, FIDO2 keys are secure and convenient, especially when using my biometric keys, which directly sign me in with my fingerprint.
However, the challenge is that these are still separate devices I need to carry around. While they’re designed to fit easily on a keyring or in a wallet, that feels outdated. I rarely carry those things anymore—now everything is on my phone! This is the one inconvenience with my physical FIDO keys. They are left at home. If I leave my phone, I will return to get it. I’m therefore excited to test Entra ID Passkeys in the Microsoft Authenticator app on my phone.
What Options Are Available Before Passkey in Authenticator?
Before piloting the new passkey in Authenticator on my phone, let’s quickly review the available options for my tenant.
Looking in the Entra admin center at Authentication Methods, I already have passkeys enabled.
This was documented in my earlier blog post: Simon does Hack Your Security with One Trick: Strong Authentication (skotheimsvik.no)
If I follow aka.ms/mfasetup I still don’t have any option to add a passkey to my Authenticator app.
Looking at Authenticator on my phone, this looks like this before adding the passkey.
No passkey is listed by now in the Authenticator app.
Enable Passkey In Authenticator
To onboard the tenant to use the passkey in Authenticator, I need to edit the “Passkey (FIDO2)” Authentication method in Entra. In my previous blog post, I configured this for all users. Jumping to the Configure blade, I can now adapt this setup for passkey in Authenticator.
My initial settings were looking like this:
“Enforce Attestation” must be set to “No” during the previewing passkey in Authenticator.
The “Key Restriction Policy” must then be configured to enforce key restrictions for specific keys.
This will enable the option to select “Microsoft Authenticator (Preview)” which adds the AAGUIDs for the Authenticator app for iOS and Android:
iOS Microsoft Authenticator
90a3ccdf-635c-4729-a248-9b709135078f
257fa02a-18f3-4e34-8174-95d454c2e9ad
Android Microsoft Authenticator
de1e552d-db1d-4423-a619-566b625cdc84
b6879edc-2a86-4bde-9c62-c1cac4a8f8e5
⚠️NB!⚠️
This will block any other passkeys or FIDO2 keys already registered in your tenant!
We must add the corresponding AAGUID to let users register or use already registered passkeys. I described AAGUIDs in my previous blog, so I will not cover this today. Now, I will cover how to review AAGUIDs currently in your environment.
I have created a PowerShell script to query the tenant through Graph. The output will be a list of users with corresponding passkeys and a list of unique AAGUIDs to add to the configuration as allowed keys. The script is available on my GitHub:
<#
.SYNOPSIS
Script to investigate passkeys in use in Entra ID
.DESCRIPTION
The script will connect to Microsoft Graph and retrieve user registration details for passkey device-bound methods.
This script will list all the unique AaGuids for FIDO2 methods in use in Entra ID.
It will then retrieve the unique AaGuids for FIDO2 methods and output them in a table format with details on each user having passkeys.
.PARAMETER None
This script does not accept any parameters.
.NOTES
Author: Simon Skotheimsvik
Info: https://skotheimsvik.no
Creation Date: 2024.08.19
Version history:
1.0 - (2024.08.19) Script released, Simon Skotheimsvik
#>
#region Connect
# Install the Microsoft Graph module
# Install-Module Microsoft.Graph
# Connect to Microsoft Graph with the required scopes
Connect-MgGraph -Scope AuditLog.Read.All, UserAuthenticationMethod.Read.All
#endregion
#region Get Users
# Retrieve and process user registration details for passkey device-bound methods
$users = Get-MgReportAuthenticationMethodUserRegistrationDetail -Filter "methodsRegistered/any(i:i eq 'passKeyDeviceBound')" -All
$userIds = $users.Id
#endregion
#region Unique AaGuids
# Get unique AaGuids for FIDO2 methods
$aaGuids = $userIds | ForEach-Object { Get-MgUserAuthenticationFido2Method -UserId $_ -All } | Select-Object -ExpandProperty AaGuid -Unique
# Output the unique AaGuids
Write-Host "Unique AaGuids for FIDO2 methods in use in Entra ID:" -ForegroundColor Green
$aaGuids
#endregion
#region User Passkey Details
# Initialize an array to store the results
$result = @()
# Loop through each user and get their FIDO2 methods
foreach ($user in $users) {
$fidoMethods = Get-MgUserAuthenticationFido2Method -UserId $user.Id -All
foreach ($method in $fidoMethods) {
$result += [PSCustomObject]@{
Username = $user.UserPrincipalName
DisplayName = $user.DisplayName
AaGuid = $method.AaGuid
Model = $method.Model
DislplayName = $method.DisplayName
CreatedDateTime = $method.CreatedDateTime
}
}
}
# Output the results in a table format
Write-Host "User passkey details in Entra ID:" -ForegroundColor Green
$result | ft
#endregion
PowerShellThis script’s first output will be the AAGUIDs for passkeys already registered in my tenant. You must manually add this list of AAGUIDs to the list of allowed AAGUIDs in your Passkey (FIDO2) settings.
The second output from the script is a list of users with corresponding registered passkeys. This list will also hold the AAGUID and also the passkey model. As seen in the list below, you will find both Feitian and Yubikey with their corresponding AAGUIDs.
When you are confident you have all existing AAGUIDs alongside the new Microsoft Authenticator AAGUIDs, you can save the new Passkey (FIDO2) settings.
You should test any existing passkeys to ensure you didn’t break anything.
Experience Passkey In Authenticator On iOS
All is now good in the hood, and I am ready to onboard my first passkey in Authenticator.
Onboard Passkey In Authenticator
There are many options for adding a passkey in Authenticator. For this demo, I will use a cross-device registration. Navigating to https://aka.ms/mfasetup on my computer, I now have the option to add a “Passkey in Microsoft Authenticator” as a new sign-in method.
Select the “Passkey in Microsoft Authenticator (preview)” and click Add.
Here you see some of the requirements to run at least Android 14 or iOS 17 with the latest Authenticator installed. Click Next to continue.
Select the device you will use. In my case, I go with the iPhone option.
Read the instructions for setting Microsoft Authenticator as the passkey provider in iOS.
In iOS 17 and below, only one third-party password manager can be used in addition to iCloud Keychain.
Ensure Bluetooth is enabled on your computer and your iPhone.
In the following picture, I select to save my passkey on the iPhone.
This brings up the QR code for saving the passkey on the iPhone.
You need to scan this QR code with the phone’s camera app (or any other QR code scanner). You are not using the Authenticator app for this, as you would when adding Microsoft Authenticator as an MFA method. Hold the camera towards the QR code and click the “Save a passkey” button in the camera window.
Select Continue on your phone to create the passkey in Authenticator. You will now get information that the passkey is saved.
You can now give the passkey a descriptive name for your own reference.
This concludes the passkey creation.
The passkey will be included in your security info list.
I can now find the passkey in Authenticator on my iPhone.
As seen in the passkey details, this is a device-bound passkey. Therefore, it will not sync to other devices through the Authenticator backup.
Use Passkey In Authenticator To Sign In
I can now use my passkey in Authenticator to sign-in securely to Microsoft 365, starting in portal.office.com, by giving my identification.
Now, I have the option to sign in with my passkey, which is the one on my iPhone.
This gives me a QR code I can scan with the camera app on my iPhone holding the passkey in Authenticator. I can then click the “Sign in with a passkey” button showing up in the camera app.
The webpage says my iPhone is connected (through Bluetooth).
I can now continue the authentication on my iPhone and verify I am the correct user by FaceID, meaning I have biometric control!
Doing so gave me easy and secure access to my portal using the passkey in Authenticator.
Experience Passkey In Authenticator On Android
This post initially only covered iOS. Upon request, I will also cover how the passkey in Authenticator is experienced on Android devices.
Onboard Passkey In Authenticator
While I covered cross-device registration for iOS, I will use “same device registration using direct sign-in to Authenticator” as a pilot example for Android.
This starts with an updated Authenticator on Android 14 or something newer. Click on the “+” button to add a new “Work or school account” by “Sign in”.
Complete your login with usersname, password and MFA.
Follow the Wizard to set up passkey in Authenticator.
One part of the wizard is to ensure Authenticator is turned on as an autofill service in Android.
Once finished, the paskey is found in Authenticator. For Android, it has a separate QR code scanner button in the passkey used to scan the QR uppon signing in.
I tried to use the camera and QR scanners on the Android but with no luck. I had to use the scanner in the Authenticator app. Overall, I found the Android route more bumpy than the iOS one.
All Green or Are There Hidden Surprises?
When running a test like this, everything looks green, but might some brown surprises be hidden in the grass? After all, I do have a dog…
Bluetooth Is Off – Will It Break?
I suspected a test with Bluetooth disabled on my iPhone would break the flow. This was not the case since iOS and Authenticator were clever enough to enable Bluetooth on my phone for authentication. It was very smooth and elegant!
A test with Bluetooth disabled on my computer also gave me enough information to see the challenge and easily fix the missing bits.
This could have been a typical pitfall, but it was elegantly resolved in iOS and Windows 11.
Authenticator Not Active In iOS Password Options – Will It Break?
Another pitfall is that users have other third-party password managers active under Password Options in the iOS Settings. This could look like this:
With the limitation in iOS, the Authenticator will be disabled if a user selects 1Password, Bitwarden, or any other third-party password manager. This is a known and highly discussed feature.
After testing with the Authenticator disabled, the iPhone login process tells me that I don’t have any passkeys saved for this website and displays the name of the active password manager. This is not as clear and self-healing as the Bluetooth test, especially for users who don’t clearly understand the passkey in Authenticator.
iOS18 To The Rescue?
Since I have seen rumors that Apple will open up to more active password managers, I decided to be brave and upgrade my phone to iOS 18 Public Beta.
After this wild and crazy stunt, I found the password managers in the iOS Settings app under General—AutoFill & Passwords. Now, I can have the Authenticator and another third-party password manager active simultaneously!
I can now enable AutoFill for up to three apps!
I can now log in successfully to Microsoft 365 using the passkey in Authenticator while my third-party password manager works side-by-side. The passkey also survived the iOS upgrade.
Requirements
The following are the requirements for running passkey in Authenticator:
Microsoft Entra MFA
iOS17 or later, or Android 14 or later
The latest version of the Authenticator app
Bluetooth on both devices if you plan to use cross-device authentication
Wrap UP
Now that I have the passkey in Authenticator on my iPhone, I’m confident I’ll always have it with me, even when I’m away from my home office desk. No more forgetting physical keys at home! This is particularly useful when I need strong authentication for Conditional Access policies, as described in the following blog: Simon does Hack Your Security with One Trick: Strong Authentication (skotheimsvik.no)
However, I don’t think this will completely replace the need for physical FIDO keys. A new scenario is emerging as Microsoft enforces MFA for all accounts accessing Azure portals starting on October 15, 2024. This will also apply to your emergency access accounts (also known as Break Glass Accounts), and physical FIDO keys are the best way to secure these. The days of relying on super-long passwords written on two pieces of paper are over.
This post dives into the latest and greatest of strong authentication with the passkey in Authenticator Preview and iOS 18 beta. You can soon say goodbye to outdated security methods—the future is here, and it’s time to upgrade or get left behind.
External References
- What’s new? Public Preview – Passkeys in Microsoft Authenticator – Microsoft Entra | Microsoft Learn
- How to enable passkeys in Microsoft Authenticator for Microsoft Entra ID (preview) – Microsoft Entra ID | Microsoft Learn
- Register passkeys in Authenticator on Android and iOS devices in MySecurityInfo (preview) – Microsoft Entra ID | Microsoft Learn
- Passkeys in Authenticator FAQs (preview) – Microsoft Entra ID | Microsoft Learn
Be First to Comment