Register passkeys in Authenticator on Android or iOS devices

This article shows how to register a passkey by using Authenticator on your iOS or Android device by directly signing in to the Authenticator app or by using Security info. For more information about the availability of Microsoft Entra ID passkey (FIDO2) authentication across native apps, web browsers, and operating systems, see Support for FIDO2 authentication with Microsoft Entra ID.

The easiest and fastest way to add a passkey is to add it directly in the Authenticator app.

Alternatively, you can add a passkey from your mobile device browser or through cross-device registration by using another device, such as a laptop. Your mobile device needs to run iOS version 17 or Android version 14, or later.

Scenario iOS Android
Same-device registration by signing into Authenticator
Same-device registration in a browser 1
Cross-device registration

1Support for same-device registration in Microsoft Edge on Android is coming soon.

Registration by signing in to Authenticator (iOS)

You can sign in to Authenticator to create a passkey in the app and get seamless single sign-on across Microsoft native apps. We recommend this preferred flow to set up a passkey in Authenticator. If you're signed in or already have an account in Authenticator, you still need to complete these steps to add a passkey in Authenticator.

  1. Download Authenticator from the App Store, and go through the privacy screens.

    • If you installed Authenticator for the first time on your device, on the Secure Your Digital Life screen, tap Add work or school account.

      Screenshot that shows the first screen to appear for Authenticator for iOS devices.

    • If you installed Authenticator on your device but you didn't add an account, tap Add account or the + button, and select Work or school account. Then tap Sign in.

      Screenshot that shows how to register by using Authenticator for iOS devices.

    • If you already added an account in Authenticator, tap your account, and then tap Create a passkey.

      Screenshot that shows how to create a passkey in Authenticator for iOS devices.

  2. You need to complete multifactor authentication (MFA).

    Screenshot that shows how to complete MFA by using Authenticator for iOS devices.

  3. If necessary, tap Settings and set up a screen lock.

    Screenshot that shows how to set up a screen lock for a passkey in Authenticator for Android devices.

  4. Tap Settings to enable Authenticator as a passkey provider.

    Screenshot that shows opening Settings to follow the onscreen instructions by using Authenticator for iOS devices.

  5. On your iOS 18 device, go to Settings > General > Autofill & Passwords. On your iOS 17 device, go to Settings > Passwords > Password Options.

    On both operating systems, make sure that AutoFill Passwords and Passkeys is turned on. Under Autofill From, make sure that Authenticator is selected.

    Screenshot that shows the turn-on passkey support option in Authenticator for iOS devices.

  6. After you return to Authenticator, tap Done to confirm that you added Authenticator as a passkey provider. Then you can see Passkey added as a sign-in method for your account. Tap Done again to finish.

    Screenshot that shows an account added to Authenticator for Android devices.

  7. Authenticator sets up passkey, passwordless, and MFA for sign-in according to your work or school account policies. Tap your account to see information, including your new passkey.

Passkey registration from Security info (iOS)

By default, Security info prompts users to sign in to the Authenticator app to register their passkey.

  1. On the same iOS device as the Authenticator or by using another device, such as a laptop, open a web browser and sign in with MFA to Security info.

    Screenshot that shows how to enter a temporary access pass on a laptop at 80%.

  2. On Security info, tap + Add sign-in method and select Passkey in Microsoft Authenticator.

    Screenshot that shows how to select passkey in Authenticator as a sign-in method.

  3. If you're asked to sign in with MFA, select Next.

  4. If necessary, download Authenticator to your iOS device. You can select Microsoft Authenticator and scan a QR code to install Authenticator from the iOS App Store. After you download Authenticator, tap Next.

    Screenshot that gives users an option to download Authenticator.

  5. You're prompted to open the Authenticator app and create your passkey there. Open Authenticator and go through the privacy screens as needed.

    Screenshot that shows the wizard used to complete the passkey setup in Authenticator.

  6. Add your account in Authenticator on your iOS device.

    • If you installed Authenticator for the first time on your device, on the Secure Your Digital Life screen, tap Add work or school account.

      Screenshot that shows the first screen to appear for Authenticator for iOS devices.

    • If you installed Authenticator on your device before but didn't add an account, tap Add account or the + button, and select Work or school account. Then tap Sign in.

      Screenshot that shows how to register by using Authenticator for iOS devices.

    • If you already added an account in Authenticator, tap your account, and then tap Create a passkey.

      Screenshot that shows how to create a passkey in Authenticator for iOS devices.

  7. You need to complete multifactor authentication (MFA).

    Screenshot that shows how to complete MFA by using Authenticator for iOS devices.

  8. If necessary, tap Settings and set up a screen lock.

    Screenshot that shows how to set up a screen lock for a passkey in Authenticator for Android devices.

  9. Tap Settings to enable Authenticator as a passkey provider.

  10. On your iOS 18 device, go to Settings > General > Autofill & Passwords. On your iOS 17 device, go to Settings > Passwords > Password Options.

    On both operating systems, make sure that AutoFill Passwords and Passkeys is turned on. Under Autofill From, make sure that Authenticator is selected.

    Screenshot that shows the turn-on passkey support option in Authenticator for iOS devices.

  11. After you return to Authenticator, tap Done to confirm that you added Authenticator as a passkey provider. Then you can see Passkey added as a sign-in method for your account. Tap Done again to finish.

    Screenshot that shows an account added to Authenticator for Android devices.

  12. Authenticator sets up passkey, passwordless, and MFA for sign-in according to your work or school account policies.

  13. Return to your browser after you finish the passkey setup in Authenticator, and select Next.

    Screenshot that shows returning to the wizard to finish the passkey setup in Authenticator.

  14. The wizard verifies that the passkey was created in Authenticator.

    Screenshot that shows the wizard that verifies the passkey in Authenticator.

  15. After the passkey is created, select Done.

    Screenshot that confirms that the passkey was created.

  16. On Security info, you can see the new passkey that was added.

    Screenshot that shows a new passkey sign-in method on Security info on your other device.

Alternate registration flow from Security info if you have trouble (iOS)

If you can't sign in to Authenticator to register a passkey, you can register directly from Security info with WebAuthn.

Note

You can't register a passkey in Authenticator this way if attestation is enabled by you administrator.

If you sign in to Security info on a different device, you need Bluetooth and an internet connection. Connectivity to the following two endpoints must be allowed in your organization:

  • https://cable.ua5v.com
  • https://cable.auth.com

If your organization restricts Bluetooth usage, you can permit Bluetooth pairing exclusively with passkey-enabled FIDO2 authenticators to allow cross-device registration of passkeys. For more information, see Passkeys in Bluetooth-restricted environments.

  1. On Security info, when you add a passkey in Authenticator, tap Having trouble.

    Screenshot that shows how to register another way if you have trouble.

  2. Now, tap create your passkey a different way.

    Screenshot that shows how to register a passkey another way.

  3. Select iPhone or iPad, and go through the rest of the flow to register a passkey on the device.

    Screenshot that shows how to choose another way on iOS if you have trouble.

If a user wants to revert to the original instructions and register a passkey in Authenticator through sign-in:

  1. On Security info, when you add a passkey in Authenticator, tap Having trouble.
  2. Now, tap create your passkey a different way by signing in to Authenticator.
  3. Go through the rest of the flow to register a passkey on your device.

Note

If you register your passkey with the Chrome browser on macOS, allow login.microsoft.com to access your security key or device when prompted.

Delete your passkey in Authenticator for iOS

To remove the passkey from Authenticator, tap the account name, and then tap Settings > Delete passkey. You also need to delete your passkey from Security info.

Troubleshooting

In some cases when you try to register a passkey, it gets stored locally in the Authenticator app but isn't registered on the authentication server. For example, the passkey provider might not be permitted or the connection might time out. If you try to register a passkey and see an error that the passkey already exists, delete the passkey that was created locally in Authenticator and retry registration.