Sign in with passkeys in Authenticator for Android and iOS devices (preview)

This article covers the sign-in experience when using passkeys in Microsoft Authenticator with Microsoft Entra ID. For more information about the availability of Microsoft Entra ID passkey (FIDO2) authentication across native applications, web browsers, and operating systems, see Support for FIDO2 authentication with Microsoft Entra ID.

Scenario	iOS	Android
Same-device authentication in a browser	✅	❌2
Same-device authentication in native Microsoft applications1	✅	❌2
Cross-device authentication	✅	✅

¹ For native app sign-in (preview), the user must have an authentication broker installed. Microsoft Authenticator is an authentication broker.

² Support for same-device Android scenarios is coming soon.

iOS

To sign in with a passkey in Microsoft Authenticator, your iOS device needs to run iOS 17 or later.

Same-device authentication in a browser (iOS)

Follow these steps to sign in to Microsoft Entra ID with a passkey in Authenticator on your iOS device.

1. On your iOS device, open your browser and navigate to the resource you're trying to access such as Office.

2. You can enter your username to sign in:

   

   If you most recently used a passkey to sign in, you're automatically prompted to sign in with a passkey. Otherwise, select Other ways to sign in, and then select Face, fingerprint, PIN, or security key.

   Alternatively, click Sign-in options to sign in more conveniently without having to enter a username.

   

   If you chose Sign-in options, select Face, fingerprint, PIN, or security key. Otherwise, skip to next step.

   

   Note

   If you attempt to sign in without a username and multiple passkeys are saved to your device, you're prompted to choose which passkey to use for sign-in.

3. To select your passkey, follow the steps in the iOS operating system dialog. Verify that it's you by using Face ID, Touch ID, or entering your device PIN.

4. You're now signed into Microsoft Entra ID.

Cross-device authentication (iOS)

Follow these steps to sign in to Microsoft Entra ID on another device with a passkey in Authenticator on your iOS device.

1. On the other device where you're looking to sign in to Microsoft Entra ID, navigate to the resource you're trying to access such as Office.

2. You can enter your username to sign in:

   

   If you last used a passkey to authenticate, you will be automatically prompted to authenticate with a passkey. Otherwise, you may click on Other ways to sign in and then select Face, fingerprint, PIN, or security key.

   Alternatively, click Sign-in options to sign in more conveniently without having to enter a username.

   

   If you chose Sign-in options, select Face, fingerprint, PIN, or security key. Otherwise, skip to next step.

   

   Note

   If you try to sign in without a username and multiple passkeys are saved to your device, you're prompted to choose which passkey to use for sign-in.

3. To begin cross-device authentication, follow the steps in the operating system or browser prompt. On Windows 11 23H2 or later, select iPhone, iPad, or Android device.

4. A QR code should appear on screen. Now, on your iOS device, open the camera app and scan the QR code.

   Note

   The camera inside the iOS Authenticator app doesn't support scanning a WebAuthn QR code. You need to use the system camera app.

5. Select Sign in with passkey when the option appears.

   Note

   Bluetooth and an internet connection are required for this step and must both be enabled on your mobile and remote device.

6. To select your passkey, follow the steps in the iOS operating system dialog. Verify that it's you by using Face ID, Touch ID, or enter your device PIN.

7. You're now signed into Microsoft Entra ID on your other device.

Same-device authentication in native Microsoft applications (iOS)

You can use Authenticator on your iOS device to seamlessly sign in with a passkey to other Microsoft apps, such as Microsoft OneDrive, SharePoint, and Outlook. Similar support for Android devices is coming during preview.

Android

To sign in with a passkey in Microsoft Authenticator, your Android device needs to run Android 14 or later.

Same-device authentication in a browser (Android)

Note

Passkeys in Authenticator don't work with browsers like Google Chrome or Microsoft Edge on Android devices. Support to create and sign in using Authenticator passkeys from browsers depends upon API updates to be made available by the Android platform.

Cross-device authentication (Android)

Follow these steps to sign in to Microsoft Entra ID on another device with a passkey in Microsoft Authenticator on your Android device.

1. On the other device where you're looking to sign in to Microsoft Entra ID, navigate to the resource you're trying to access such as Office.

2. You can enter your username to sign in:

   

   If you last used a passkey to authenticate, you will be automatically prompted to authenticate with a passkey. Otherwise, you may click on Other ways to sign in and then select Face, fingerprint, PIN, or security key.

   Alternatively, click Sign-in options to sign in more conveniently without having to enter a username.

   

   If you chose Sign-in options, select Face, fingerprint, PIN, or security key. Otherwise, skip to next step.

   

3. To begin cross-device authentication, follow the steps in the operating system or browser prompt. On Windows 11 23H2 or later, select iPhone, iPad, or Android device.

4. A QR code should appear on screen. Now, on your Android device, open the system camera app and scan the QR code. Alternatively, you can also use the camera in Authenticator. Navigate to the passkey account tile and tap on it. Under Passkey details (preview), you'll see a button in the bottom-right corner to scan the QR code.

Note

Bluetooth and an internet connection are required for this step and both must be enabled on your mobile and remote device.

Note

For quicker sign-in, Android allows you to remember some browsers and Windows devices after scanning the WebAuthn QR code. In such cases, instead of having to scan a QR code each time, the device will appear as a selectable option and you will receive a notification on your mobile device to continue the passkey authentication.

1. To select your passkey, follow the steps in the Android operating system dialog. Verify that it's you by scanning your face, fingerprint, or enter your device PIN or unlock gesture.

2. You're now signed into Microsoft Entra ID on your other device.

Same-device authentication in native Microsoft applications (Android)

You can't use passkeys in Authenticator on your Android device to sign in to other Microsoft apps, such as Microsoft OneDrive, SharePoint, and Outlook. Support for Android devices is coming later during preview.