Share via

Problems adding Security Key (FIDO2)

Max Mägele 0 Reputation points
2024-09-27T11:49:15.0866667+00:00

Hello everyone,

We have recently set up security keys (FIDO2) in our company for employees who do not want to set up the MS Authenticator on their private smartphone.

Setting up the keys also worked without any problems and we were able to put them into operation successfully.

Yesterday, when we created a new test account, we wanted to set up a security key first. However, we always get the error message “To set up a security key, you need to sign in with two-factor authentication.”.

This is problematic due to the employees who do not want to set up the authenticator, as we have not set up other methods such as SMS for security reasons.

Does anyone here have an idea why we are getting this error?

Thanks

Best Regards

Max

Microsoft Authenticator
Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation.
7,097 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,065 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Akhilesh Vallamkonda 10,150 Reputation points Microsoft Vendor
    2024-10-03T14:12:02.98+00:00

    Hi @Max Mägele

    Thank you for post!

    As I understand you want to have end users to register FIDO2 security key as sign in method without the need to install Microsoft Authenticator app.

    As far I know, its not possible, You must register first Authenticator app and then FIDO2, but the authenticator couldn´t be removed as it is a backup method. But you could use authentication strength to enforce FIDO2 - https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-strengths

    Same has been documented under requirements section - https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-enable-passkey-fido2

    However, I have found a document where you can use Entra ID Temporary Access Pass (TAP) to onboard the user. Using this method, TAP will satisfy the MFA requirement. Users can use TAP to register password less methods such as Windows Hello, FIDO2 keys, and Microsoft Authenticator App. Could you please try this as per the below document and see you can achieve your task if you are unable to achieve you must register first Authenticator app.

    https://techcommunity.microsoft.com/t5/microsoft-entra-blog/passwordless-authentication-is-now-generally-available/bc-p/2954523#:~:text=of%20authentication%20methods.-,Temporary%20Access%20Pass,-Of%20course%2C%20to

    Onboard FIDO2 keys using Temporary Access Pass in Entra ID

    Hope this helps. Do let us know if you any further queries by responding in the comments section.

    Thanks,

    Akhilesh.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.