You can use security keys as a passwordless sign-in method within your organization. A security key is a physical device that's used with a unique PIN to sign in to your work or school account. Because security keys require you to have the physical device and something that only you know, it's considered a stronger verification method than a username and password.
If you don't see the security key option, it's possible that your organization doesn't allow you to use this option for verification. In this case, you'll need to choose another method or contact your organization's help desk for more assistance.
We currently support several designs and providers of security keys using the Fast Identity Online (FIDO2) passwordless authentication protocols. These keys allow you to sign in to your work or school account to access your organization's cloud-based resources when on a supported device and web browser.
Your administrator or your organization will provide you with a security key if they require it for your work or school account. There are different types of security keys you can use, for example a USB key that you plug in to your device or an NFC key that you tap on an NFC reader. You can find out more information about your security key, including what type it is, from the manufacturer's documentation.
You have a physical security key approved by your administrator or your organization. Your security key must be both FIDO2 and Microsoft-compliant. If you have any questions about your security key and whether it's compatible, contact your organization's help desk.
If you lose or no longer want to use a security key, you can delete the key from your security info. While this stops the security key from being used with your work or school account, the security key continues to store your data and credential information. To delete your data and credential information from the security key itself, follow the instructions in the "Reset a security key" section of this article.
If you want to delete all the account information stored on your physical security key, you must return the key back to its factory defaults. Resetting your security key deletes everything from the key, allowing you to start over.
Follow the on-screen instructions, based on your specific security key manufacturer. If your key manufacturer isn't listed in the on-screen instructions, refer to the manufacturer's site for more information.
This combination of ease of use, security, and broad industry support is going to be transformational both at home and in the modern workplace. Every month, more than 800 million people use a Microsoft account to create, connect, and share from anywhere to Outlook, Office, OneDrive, Bing, Skype, and Xbox Live for work and play. And now they can all benefit from this simple user experience and greatly improved security.
Unlike passwords, FIDO2 protects user credentials using public/private key encryption. When you create and register a FIDO2 credential, the device (your PC or the FIDO2 device) generates a private and public key on the device. The private key is stored securely on the device and can only be used after it has been unlocked using a local gesture like biometric or PIN. Note that your biometric or PIN never leaves the device. At the same time that the private key is stored, the public key is sent to the Microsoft account system in the cloud and registered with your user account.
How do Windows Hello and FIDO2 devices implement this? Based on the capabilities of your Windows 10 device, you will either have a built-in secure enclave, known as a hardware trusted platform module (TPM) or a software TPM. The TPM stores the private key, which requires either your face, fingerprint, or PIN to unlock it. Similarly, a FIDO2 device, like a security key, is a small external device with its own built-in secure enclave that stores the private key and requires the biometric or PIN to unlock it. Both options offer two-factor authentication in one step, requiring both a registered device and a biometric or PIN to successfully sign in.
We have tons of great things coming out as part of our efforts to reduce and even eliminate the use of passwords. We are currently building the same sign-in experience from a browser with security keys for work and school accounts in Azure Active Directory. Enterprise customers will be able to preview this early next year, where they will be able to allow their employees to set up their own security keys for their account to sign in to Windows 10 and the cloud.
I have an AAD tenant where security keys have been enabled for all users. When creating a user in AAD, setting up the key for that user in and then AAD joining my PC, I can login to my PC with the registered security key to that particular account.
However, if I invite an external user with a regular "@outlook" or "@hotmail" account to my AAD, I cant login to since this user is not added to the "Microsoft Services" tenant and can not access application '19db86c3-b2b9-44cc-b339-36da233a3be2'(My Access). Instead I tried setting up the security key in account.microsoft.com for microsoft accounts.
Since my PC is AAD joined with the AAD user, the security option is there during login and with that I tried signing in to my "@hotmail" account on my PC with the security key I set up for that account. That seemed to initially work until it finally said "You can't sign in with this account. Try another account"
By default, FIDO2 security keys as an authentication method is not available to users of your Azure AD tenant. When enabling the option, you can choose to enable for all users or scope it to one or more groups. In the example shown, I scoped it to members of the FIDO2-Pilot-Users group
This has been a long post, but hopefully the information in it can shed some light on how FIDO2 security keys work for SSO to on-premises and cloud resources, and make it easier to deploy this to your users.
1. Go to Settings > Accounts > Sign-in options.2. Under Ways to sign in, go to Security key and click Manage.3. After you click Manage, a window will pop up prompting you to insert your USB security key. Insert your USB security key or tap your NFC reader to verify your identity on your Windows 11 PC now.4. Once your physical security key is connected, you can either change the Security Key PIN or Reset Security Key back to factory settings.5. Click Close when you are finished.
When you use Windows Hello as a sign in authentication method, you typically think about providing your face or your fingerprint for verification. But you could also use a FIDO2-compliant USB physical security key
1. Go to Settings > Accounts > Sign-in options.2. Under Ways to sign in, go to Security key and click Manage.3. After you click Manage, a window will pop up prompting you to insert your USB security key. Insert your USB security key or tap your NFC reader to verify your identity on your Windows 11 PC now.4. Once your USB security key is inserted and verified, you can either change the Security Key PIN or Reset Security Key to factory settings.5. Click Close when you are finished.
Now, you can use your physical USB security key and PIN to sign into your Microsoft Account. Just plug in the USB to your PC, enter the PIN, and you will have access to your Microsoft Account and PC in no time at all.
Did you know that you can sign in to your Microsoft account without a password? This passwordless sign-in feature is available to all Microsoft users. It is one of several ways of protecting your Microsoft account against unauthorized access. However, if you'd rather stick to your username and password, you're not alone.
You can also protect your Microsoft account via the Email a Code or Text a Code option. If you forget your password or if there's an unusual sign-in attempt from a new device or location, Microsoft will alert you via email or text.
This is done to confirm that it is actually you trying to sign in. If you travel or allow an app to sign in to your account, you'll also be alerted. This alert will be sent to all your alternate contact methods.
This works by prompting you to approve a sign-in request on your phone. Once set up, whenever you or someone tries to sign in to your Microsoft account, a sign-in request will be sent to your Microsoft Authenticator app (free for Android and iOS devices).
One of the most secure ways to protect your Microsoft account is by using a security key such as Yubikey. Your security key allows you to sign in to your Microsoft account without your username or password.
To check your sign-in activity, sign in to your Microsoft account and go to Security > View my activity. Sign me out is another way to protect your Microsoft account. If Microsoft suspects an unauthorized sign-in, within 24 hours, they'll sign you out of all your logged-in sessions across all devices except Xbox.
A Recovery Code can help you to regain access to your account if you happen to forget your sign-in info. You can print it out or keep a picture of it in a safe place. To generate a recovery code, go to Microsoft > Security > Advanced security options > Generate a new code (under Additional security section). With these, you can safeguard your Microsoft account without using passwordless sign-in. 2b1af7f3a8