Sign in with passkeys in Authenticator for Android and iOS devices
Article
This article covers the sign-in experience when using passkeys in Microsoft Authenticator with Microsoft Entra ID. For more information about the availability of Microsoft Entra ID passkey (FIDO2) authentication across native applications, web browsers, and operating systems, see Support for FIDO2 authentication with Microsoft Entra ID.
Scenario
iOS
Android
Same-device authentication in a browser
✅
✅1
Same-device authentication in native Microsoft applications
✅
✅
Cross-device authentication
✅
✅
1Support for same-device registration in Edge on Android is coming soon.
To sign in with a passkey in Microsoft Authenticator, your iOS device needs to run iOS 17 or later.
Same-device authentication in a browser (iOS)
Follow these steps to sign in to Microsoft Entra ID with a passkey in Authenticator on your iOS device.
On your iOS device, open your browser and navigate to the resource you're trying to access such as Office.
You can enter your username to sign in:
If you most recently used a passkey to sign in, you're automatically prompted to sign in with a passkey. Otherwise, select Other ways to sign in, and then select Face, fingerprint, PIN, or security key.
Alternatively, click Sign-in options to sign in more conveniently without having to enter a username.
If you chose Sign-in options, select Face, fingerprint, PIN, or security key. Otherwise, skip to next step.
Note
If you attempt to sign in without a username and multiple passkeys are saved to your device, you're prompted to choose which passkey to use for sign-in.
To select your passkey, follow the steps in the iOS operating system dialog. Verify that it's you by using Face ID, Touch ID, or entering your device PIN.
You're now signed into Microsoft Entra ID.
Cross-device authentication (iOS)
Follow these steps to sign in to Microsoft Entra ID on another device with a passkey in Authenticator on your iOS device.
On the other device where you're looking to sign in to Microsoft Entra ID, navigate to the resource you're trying to access such as Office.
You can enter your username to sign in:
If you last used a passkey to authenticate, you're automatically prompted to authenticate with a passkey. Otherwise, you may click on Other ways to sign in and then select Face, fingerprint, PIN, or security key.
Alternatively, click Sign-in options to sign in more conveniently without having to enter a username.
If you chose Sign-in options, select Face, fingerprint, PIN, or security key. Otherwise, skip to next step.
Note
If you try to sign in without a username and multiple passkeys are saved to your device, you're prompted to choose which passkey to use for sign-in.
To begin cross-device authentication, follow the steps in the operating system or browser prompt. On Windows 11 23H2 or later, select iPhone, iPad, or Android device.
A QR code should appear on screen. Now, on your iOS device, open the camera app and scan the QR code.
Note
The camera inside the iOS Authenticator app doesn't support scanning a WebAuthn QR code. You need to use the system camera app.
Select Sign in with passkey when the option appears.
Note
Bluetooth and an internet connection are required for this step and must both be enabled on your mobile and remote device.
To select your passkey, follow the steps in the iOS operating system dialog. Verify that it's you by using Face ID, Touch ID, or enter your device PIN.
You're now signed into Microsoft Entra ID on your other device.
Same-device authentication in native Microsoft applications (iOS)
You can use Authenticator on your iOS device to seamlessly sign in with a passkey to other Microsoft apps, such as Microsoft OneDrive, SharePoint, and Outlook.
To sign in with a passkey in Microsoft Authenticator, your Android device needs to run Android 14 or later.
Same-device authentication in a browser (Android)
Follow these steps to sign in to Microsoft Entra ID with a passkey in Microsoft Authenticator on your Android device.
Note
Support for same-device registration in Edge on Android is coming soon.
On your Android device, open your browser and navigate to the resource you're trying to access at My Security info.
When prompted to sign in, you have two options. The usernameless option can be easier than entering your username.
Type your username.
To sign in with the usernameless option, select Sign-in options.
If you chose Sign-in options, select Face, Fingerprint, PIN, or Security key. Otherwise, skip to next step.
Note
If you have more than one passkey saved to your device, you're prompted to choose a passkey.
To select your passkey, follow the steps in the Android operating system dialog. Verify that it's you by scanning your face, fingerprint, or entering your device PIN or unlock gesture.
You're now signed into Microsoft Entra ID.
Cross-device authentication (Android)
Follow these steps to sign in to Microsoft Entra ID on another device with a passkey in Microsoft Authenticator on your Android device.
This sign-in option requires Bluetooth and an internet connection for both devices. If your organization restricts Bluetooth usage, an administrator can allow cross-device sign-in for passkeys by permitting Bluetooth pairing exclusively with passkey-enabled FIDO2 authenticators. For more information about how to configure Bluetooth usage only for passkeys, see Passkeys in Bluetooth-restricted environments.
On the other device where you're looking to sign in to Microsoft Entra ID, navigate to the resource you're trying to access such as Office.
You can enter your username to sign in:
If you last used a passkey to authenticate, you're automatically prompted to authenticate with a passkey. Otherwise, you may click on Other ways to sign in and then select Face, fingerprint, PIN, or security key.
Alternatively, click Sign-in options to sign in more conveniently without having to enter a username.
If you chose Sign-in options, select Face, fingerprint, PIN or security key. Otherwise, skip to next step.
To begin cross-device authentication, follow the steps in the operating system or browser prompt. On Windows 11 23H2 or later, select iPhone, iPad, or Android device.
A QR code should appear on screen. Now, on your Android device, open the system camera app and scan the QR code. Alternatively, you can also use the camera in Authenticator. Navigate to the passkey account tile and tap on it. Under Passkey details, you can see a button in the bottom-right corner to scan the QR code.
Note
Bluetooth and an internet connection are required for this step and both must be enabled on your mobile and remote device.
For quicker sign-in, Android allows you to remember some browsers and Windows devices after scanning the WebAuthn QR code. In such cases, instead of having to scan a QR code each time, you can select the device and receive a notification to continue the passkey authentication.
To select your passkey, follow the steps in the Android operating system dialog. Verify that it's you by scanning your face, fingerprint, or enter your device PIN or unlock gesture.
On your other device, you're signed into Microsoft Entra ID.
Same-device authentication in native Microsoft applications
You can use Authenticator on your Android device to seamlessly sign in with a passkey to other Microsoft apps, such as Microsoft OneDrive, SharePoint, and Outlook.