register FIDO2 security key as sign in method without the need to install Microsoft Authenticator app

Vladyslav Bondarchuk 40 Reputation points
2024-04-18T17:43:59.06+00:00

Hello,

Here's briefly about policies across the tenant:

  1. Enabled FIDO2 security key as sign - in method for the user under. FIDO2 is the only enabled sign-in method for this user.
  2. Disabled Windows Hello for Business using Intune configuration profile.
  3. The user is excluded from Registration campaign and System preferred multifactor authentication.

I am testing with a new account how to register FIDO2 without registering Microsoft Authenticator app.

  1. I signed in to https://mysignins.microsoft.com/security-info with the new account.
  2. I'm asked to register phone number or email to keep account secure. ( I believe it's part of the SSPR policy ) which is ok.
  3. Next, I' trying to add a new sign-in method and choose security key. I am asked to sign-in with two-factor authentication.
  4. When I click next, I'm prompted with "Keep your account secure" window that looks like this (see attached)

How do I bypass this? The goal is to register FIDO2 security key as sign in method without the need to install Microsoft Authenticator app. Implementing Temporary Access Pass is not an option for our use case.

Microsoft Authenticator
Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation.
5,515 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,354 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,530 questions
0 comments
Accepted answer
  1. Givary-MSFT 28,061 Reputation points Microsoft Employee
    2024-04-23T05:26:50.0433333+00:00

    @Vladyslav Bondarchuk Thank you for reaching out to us, As I understand you want to have end users to register FIDO2 security key as sign in method without the need to install Microsoft Authenticator app.

    As far I know, its not possible, You must register first Authenticator app and then FIDO2, but the authenticator couldn´t be removed as it is a backup method. But you could use authentication strength to enforce FIDO2 - https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-strengths

    Same has been documented under requirements section - https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-enable-passkey-fido2

    Let me know if you have any further questions, feel free to post back.

    Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest