FIDO2 security keys provide a highly secure, unphishable, passwordless authentication method based on open standards. These keys are available in various form factors, most commonly as USB devices, but they can also utilize Bluetooth or near-field communication (NFC). Passkeys (FIDO2) leverage the same WebAuthn standard and can be stored in authenticators or directly on mobile devices, tablets, or computers. 

FIDO2 security keys allow users to sign in to Microsoft Entra ID or Microsoft Entra hybrid-joined Windows 10 devices, providing single sign-on (SSO) access to both cloud and on-premises resources. They also support authentication in compatible web browsers. These keys are an ideal choice for organizations that prioritize security or have employees who cannot or prefer not to use their phone as a second authentication factor.

Users can register a passkey (FIDO2) and select it as their primary method of authentication. By using a hardware device for authentication, account security is significantly enhanced as there is no password to guess or expose. Currently in preview, Authentication Administrators can also provision a FIDO2 security key on behalf of users through the Microsoft Graph API and a custom client. At this stage, provisioning on behalf of users is limited to security keys only.

Windows Devices Supporting FIDO2 Passkeys

For Windows devices joined to Microsoft Entra ID, the optimal experience is on Windows 10 version 1903 or newer. Hybrid-joined devices require Windows 10 version 2004 or later. Passkeys (FIDO2) are compatible with major operating systems, including Windows, macOS, Android, and iOS.

The FIDO (Fast IDentity Online) Alliance advances open authentication standards to reduce reliance on passwords. FIDO2 is the latest standard, incorporating WebAuthn technology, allowing organizations to adopt passwordless authentication through external security keys or platform keys embedded in devices.



FIDO2 security keys deliver phishing-resistant authentication by replacing weak credentials with robust, hardware-backed public/private key pairs. These credentials cannot be reused, replayed, or shared across services. Additionally, security keys support shared device use cases, enabling users to carry their credentials and authenticate securely on any supported device.

Step-by-Step Instructions for Setting up FIDO2 Logon for Entra ID Joined Devices

Our experts at Tx Systems Inc. have compiled a step-by-step instruction guide to ensure successful configuration between your FIDO2 Key and Entra ID.

Click here to download our PDF guide.

Reach out with any questions or comments at (858) 622-2004 for help acquiring and setting up FIDO2 Keys.

Sources: Enable Passkeys  Passkey (FIDO2) authentication matrix with Microsoft Entra ID

Attestation for FIDO2 security key vendors