Passkeys are a great way to improve the security and to move away from less secure authentication methods like password, SMS code, voice etc.
Phishing-Resistant MFA
So what counts as a phishing-resistant authentication method?
Listed below you find 4 methods that are phishing-resistant and will greatly improve your authentication security, helping you to protect your users and organization.
Pre-requisites
- Android 14 and later or iOS 17 and later
- Microsoft Multi-factor authentication enabled
- Latest version of Microsoft Authenticator
Enable Passkeys
- Go to Microsoft Entra
- Select Protection – Authentication Methods – Policies
- Select FIDO2 security key and assign it to all users or a specific group of users.
- Select Configure
Allow self-service set up: YES
If we do not turn this on the users cannot register the passkey.
Enforce attestation: NO
We need to turn this to: NO, this is required as Microsoft Authenticator is currently not supported.
Key Restriction Policy
We are not required to configure this but it is useful if we want to limit what type of passkeys, security keys we want to allow. For example we only use Microsoft Authenticator and YubiKeys.
Enforce key restrictors: YES
We will set this to YES and only allow YubiKeys and Microsoft Authenticator (This will be different depending on your organizations requirements but we need to add Microsoft Authenticator.
Restrict specific keys: Allow
We will only allow the keys added to our list.
- Click on Add AAGUID
- Authenticator for Android: de1e552d-db1d-4423-a619-566b625cdc84
- Authenticator for iOS: 90a3ccdf-635c-4729-a248-9b709135078f
If you also support YubiKeys we can add more AAGUIDs to make sure we allow certain YubiKeys.
YubiKey AAGUIDs
That is all, you can now start using Passkeys with Microsoft Authenticator.
Setup Passkey with Microsoft Authenticator
- Using your mobile phone go to: https://aka.ms/mysecurityinfo
(You can do this on your Computer to and you will get a QR code to scan instead to save your passkey on your device) - Select Add sign-in method Select Passkey in Microsoft Authenticator.
- Follow the on-screen guide and when asked where to save your Passkey, make sure you select Microsoft Authenticator, if you do not see this as an option, then make sure you are running the latest version of Microsoft Authenticator and have allowed Authenticator for passkeys.
