Register passkeys in Authenticator on Android or iOS devices

This article shows how to register a passkey by using Authenticator on your iOS or Android device by directly signing in to the Authenticator app or by using Security info. For more information about the availability of Microsoft Entra ID passkey (FIDO2) authentication across native apps, web browsers, and operating systems, see Support for FIDO2 authentication with Microsoft Entra ID.

The easiest and fastest way to add a passkey is to add it directly in the Authenticator app.

Alternatively, you can add a passkey from your mobile device browser or through cross-device registration by using another device, such as a laptop. Your mobile device needs to run iOS version 17 or Android version 14, or later.

Scenario	iOS	Android
Same-device registration by signing into Authenticator	✅	✅
Same-device registration in a browser	✅	✅1
Cross-device registration	✅	✅

¹Support for same-device registration in Microsoft Edge on Android is coming soon.

iOS

Registration by signing in to Authenticator (iOS)

You can sign in to Authenticator to create a passkey in the app and get seamless single sign-on across Microsoft native apps. We recommend this preferred flow to set up a passkey in Authenticator. If you're signed in or already have an account in Authenticator, you still need to complete these steps to add a passkey in Authenticator.

1. Download Authenticator from the App Store, and go through the privacy screens.

   • If you installed Authenticator for the first time on your device, on the Secure Your Digital Life screen, tap Add work or school account.

     

   • If you installed Authenticator on your device but you didn't add an account, tap Add account or the + button, and select Work or school account. Then tap Sign in.

     

   • If you already added an account in Authenticator, tap your account, and then tap Create a passkey.

     

2. You need to complete multifactor authentication (MFA).

   

3. If necessary, tap Settings and set up a screen lock.

   

4. Tap Settings to enable Authenticator as a passkey provider.

   

5. On your iOS 18 device, go to Settings > General > Autofill & Passwords. On your iOS 17 device, go to Settings > Passwords > Password Options.

   On both operating systems, make sure that AutoFill Passwords and Passkeys is turned on. Under Autofill From, make sure that Authenticator is selected.

   

6. After you return to Authenticator, tap Done to confirm that you added Authenticator as a passkey provider. Then you can see Passkey added as a sign-in method for your account. Tap Done again to finish.

   

7. Authenticator sets up passkey, passwordless, and MFA for sign-in according to your work or school account policies. Tap your account to see information, including your new passkey.

Passkey registration from Security info (iOS)

By default, Security info prompts users to sign in to the Authenticator app to register their passkey.

1. On the same iOS device as the Authenticator or by using another device, such as a laptop, open a web browser and sign in with MFA to Security info.

   

2. On Security info, tap + Add sign-in method and select Passkey in Microsoft Authenticator.

   

3. If you're asked to sign in with MFA, select Next.

4. If necessary, download Authenticator to your iOS device. You can select Microsoft Authenticator and scan a QR code to install Authenticator from the iOS App Store. After you download Authenticator, tap Next.

   

5. You're prompted to open the Authenticator app and create your passkey there. Open Authenticator and go through the privacy screens as needed.

   

6. Add your account in Authenticator on your iOS device.

   • If you installed Authenticator for the first time on your device, on the Secure Your Digital Life screen, tap Add work or school account.

     

   • If you installed Authenticator on your device before but didn't add an account, tap Add account or the + button, and select Work or school account. Then tap Sign in.

     

   • If you already added an account in Authenticator, tap your account, and then tap Create a passkey.

     

7. You need to complete multifactor authentication (MFA).

   

8. If necessary, tap Settings and set up a screen lock.

   

9. Tap Settings to enable Authenticator as a passkey provider.

10. On your iOS 18 device, go to Settings > General > Autofill & Passwords. On your iOS 17 device, go to Settings > Passwords > Password Options.

    On both operating systems, make sure that AutoFill Passwords and Passkeys is turned on. Under Autofill From, make sure that Authenticator is selected.

    

11. After you return to Authenticator, tap Done to confirm that you added Authenticator as a passkey provider. Then you can see Passkey added as a sign-in method for your account. Tap Done again to finish.

    

12. Authenticator sets up passkey, passwordless, and MFA for sign-in according to your work or school account policies.

13. Return to your browser after you finish the passkey setup in Authenticator, and select Next.

    

14. The wizard verifies that the passkey was created in Authenticator.

    

15. After the passkey is created, select Done.

    

16. On Security info, you can see the new passkey that was added.

    

Alternate registration flow from Security info if you have trouble (iOS)

If you can't sign in to Authenticator to register a passkey, you can register directly from Security info with WebAuthn.

Note

You can't register a passkey in Authenticator this way if attestation is enabled by you administrator.

If you sign in to Security info on a different device, you need Bluetooth and an internet connection. Connectivity to the following two endpoints must be allowed in your organization:

• https://cable.ua5v.com
• https://cable.auth.com

If your organization restricts Bluetooth usage, you can permit Bluetooth pairing exclusively with passkey-enabled FIDO2 authenticators to allow cross-device registration of passkeys. For more information, see Passkeys in Bluetooth-restricted environments.

1. On Security info, when you add a passkey in Authenticator, tap Having trouble.

   

2. Now, tap create your passkey a different way.

   

3. Select iPhone or iPad, and go through the rest of the flow to register a passkey on the device.

   

If a user wants to revert to the original instructions and register a passkey in Authenticator through sign-in:

1. On Security info, when you add a passkey in Authenticator, tap Having trouble.
2. Now, tap create your passkey a different way by signing in to Authenticator.
3. Go through the rest of the flow to register a passkey on your device.

Note

If you register your passkey with the Chrome browser on macOS, allow login.microsoft.com to access your security key or device when prompted.

Delete your passkey in Authenticator for iOS

To remove the passkey from Authenticator, tap the account name, and then tap Settings > Delete passkey. You also need to delete your passkey from Security info.

Troubleshooting

In some cases when you try to register a passkey, it gets stored locally in the Authenticator app but isn't registered on the authentication server. For example, the passkey provider might not be permitted or the connection might time out. If you try to register a passkey and see an error that the passkey already exists, delete the passkey that was created locally in Authenticator and retry registration.

Android

Registration by signing in to Authenticator (Android)

You can sign in to Authenticator to create a passkey in the app and get seamless single sign-on across Microsoft native apps. We recommend this preferred flow to set up a passkey in Authenticator. If you're signed in or already have an account in Authenticator, you still need to complete these steps to add a passkey in Authenticator.

1. Download Authenticator from Google Play, open it, and go through the privacy screens.

2. Add your account in Authenticator on your Android device.

   • If you installed Authenticator for the first time on your device, on the Secure Your Digital Life screen, tap Add work or school account.

     

   • If you installed Authenticator on your device before but didn't add an account, tap Add account or the + button, and select Work or school account. Then tap Sign in.

     

   • If you already added an account in Authenticator, tap your account, and then tap Create a passkey.

     

3. You need to complete multifactor authentication (MFA).

   

4. If necessary, tap Settings and set up a screen lock.

   

5. Tap Settings to enable Authenticator as a passkey provider.

   Note

   The steps to enable passkey providers on Android might vary based on the make and model of your device. Search for Passkey on your device settings, or consult your device manufacturer for guidance. If your device runs Android 14 and you can't enable Authenticator as a passkey provider, we recommend that you upgrade to Android 15.

   

   1. Open Passwords & accounts.

      

   2. In the Additional providers section, make sure that Authenticator is selected.

      

6. After you return to Authenticator, tap Done to confirm that you added Authenticator as a passkey provider. Then you can see Passkey added as a sign-in method for your account. Tap Done again to finish.

   

7. Authenticator sets up passkey, passwordless, and MFA for sign-in according to your work or school account policies. Tap your account to see information, including your new passkey.

Passkey registration from Security info (Android)

By default, Security info prompts users to sign in to the Authenticator app to register their passkey.

1. On the same Android device as Authenticator or by using another device, such as a laptop, open a web browser and sign in with MFA to Security info.

   

2. On Security info, tap + Add sign-in method and select Passkey in Microsoft Authenticator.

   

3. If prompted, tap Next and sign in with MFA.

4. If necessary, download Authenticator to your Android device. You can select Microsoft Authenticator and scan a QR code to install Authenticator from Google Play. After you download Authenticator to your Android device, select Next.

   

5. You're prompted to open the Authenticator app and create your passkey there.

   

6. Open Authenticator and go through the privacy screens, as needed.

   • If you installed Authenticator for the first time on your device, on the Secure Your Digital Life screen, tap Add work or school account.

     

   • If you installed Authenticator on your device before but didn't add an account, tap Add account or the + button, and select Work or school account. Then tap Sign in.

     

   • If you already added an account in Authenticator, tap your account, and then tap Create a passkey.

     

7. You need to complete multifactor authentication (MFA).

   

8. If necessary, tap Settings and set up a screen lock.

   

9. Tap Settings to enable Authenticator as a passkey provider.

   Note

   The steps to enable passkey providers on Android might vary based on the make and model of your device. Search for Passkey on your device settings, or consult your device manufacturer for guidance. If your device runs Android 14 and you can't enable Authenticator as a passkey provider, we recommend that you upgrade to Android 15.

   

   1. Open Passwords & accounts.

      

   2. In the Additional providers section, make sure that Authenticator is selected.

      

10. After you return to Authenticator, tap Done to confirm that you added Authenticator as a passkey provider. Then you can see Passkey added as a sign-in method for your account. Tap Done again to finish.

    

11. Authenticator sets up passkey, passwordless, and MFA for sign-in according to your work or school account policies.

12. After you finish the passkey setup in Authenticator, return to your browser where Security info is open. Select Next.

13. The wizard verifies that the passkey was created in Authenticator.

14. After the passkey is created, select Done.

    

15. On Security info, you can see that the new passkey was added.

    

Alternate registration flow on Security info if you have trouble (Android)

If you can't sign in to the Authenticator to register a passkey, you can register directly from Security info with WebAuthn.

Note

You can't register a passkey in Authenticator this way if attestation is enabled by you administrator.

If you sign in to Security info on a different device, you need Bluetooth and an internet connection. Connectivity to the following two endpoints must be allowed in your organization:

• https://cable.ua5v.com
• https://cable.auth.com

If your organization restricts Bluetooth usage, you can permit Bluetooth pairing exclusively with passkey-enabled FIDO2 authenticators to allow cross-device registration of passkeys. For more information, see Passkeys in Bluetooth-restricted environments.

1. On Security info, when you add a passkey in Authenticator, tap Having trouble.

   

2. Now, tap create your passkey a different way.

   

3. Select Android and go through the rest of the flow to register a passkey on your device.

   

If a user wants to revert to the original instructions and register a passkey in Authenticator through sign-in:

1. On Security info, when you add a passkey in Authenticator, tap Having trouble.
2. Now, tap create your passkey a different way by signing in to Authenticator.
3. Go through the rest of the flow to register a passkey on your device.

Note

If you register your passkey with the Chrome browser on macOS, allow login.microsoft.com to access your security key or device when prompted.

Delete your passkey in Authenticator for Android

To remove the passkey from Authenticator, tap the account name, tap Settings, and then tap Delete passkey.

In most cases, the passkey is also deleted from Security info. If not, go to Security info and select Delete to remove it.

Troubleshooting

In some cases when you try to register a passkey, it gets stored locally in the Authenticator app but isn't registered on the authentication server. For example, the passkey provider might not be permitted, or the connection might time out. If you try to register a passkey and see an error that the passkey already exists, delete the passkey that was created locally in Authenticator and retry registration.