As you may know starting from windows 11 23h2 and 22h2, This is listed as know issue in the below public doc https://learn.microsoft.com/en-us/entra/identity/authentication/fido2-compatibility#known-issues
change introduced via KB 5032190: November 14, 2023—KB5032190 (OS Builds 22621.2715 and 22631.2715)
End user would see this unavoidable prompt with passkey in the front and have to choose security key below.
Then talking about prompt - you have mentioned two kinds.
- windows security prompt
- Browser prompt
1.For Windows security prompt
Removing WHFB from from windows Security prompt
Disabling WHFB policy will not remove the credentials already provisioned. you can remove the credentials on the user via "certutil -deleteHellocontainer"
Caution: removing WHFB credentials destructive operation and no way to reverse it. The user need to again provision the WHFB credentials.
Removing security key option from windows Security prompt
There is a registry key from the windows will remove the security key options at windows level including lock screen. These are the key, added either or one. you can remove for testing. this registry is reversable. it won't destroy credential stored on FIDO2 keys.
commonly used one.
REG ADD "HKLM\SOFTWARE\Microsoft\Policies\PassportForWork\SecurityKey" /v UseSecurityKeyForSignin /t REG_DWORD /d 1 /f
I have heard this below one as alternate - but never tested.
REG ADD "HKLM\SOFTWARE\policies\Microsoft\FIDO" /v EnableFIDODeviceLogon /t REG_DWORD /d 1 /f
- For Browser prompt
Both WHFB key and FIDO2 key treated as WebAuthN redirect based authentication. that's why it combines both as a single choice there. So, browser level there is no way to remove just one out of the two.
Good news is there is an improvement is in pipeline for chromium-based browser not to show other credential prompt those are not available in top list by calling the "WebAuthNAuthenticatorGetAssertion" call to know the available credentials.
I saw Github post about that call
https://github.com/chromium/chromium/commit/6b3db1afad5684c2e186320f1743982a7e38eb04
Not sure, what exact version of browser version include those calls. browser support team might know better than me.
If you happen to see this corrected on a newer browser version. This would be the reason in future.
If this helps, please mark this as an answer.
Feel free to let me know if any queries.
Thanks
-Nagappan V