Hey folks! I'm having some trouble with users who have Passkeys configured alongside the Microsoft Authenticator app in Entra ID. When they try to log into sites like office.com, two situations come up:
1. If they autofill their credentials, it asks them to use Windows Hello for Business (WHfB) for authentication, which seems odd since I thought Passkeys would be the primary method. Is WHfB being considered a strong authentication method instead?
2. When users manually enter their email, they are taken directly to the TOTP screen where they need to input a code from their authenticator app. Why isn't it defaulting to Passkeys, especially when they've always used them? Bluetooth is enabled, and they shouldn't be getting this prompt if Passkeys are considered stronger.
For context, only some users have Passkeys enabled, while all users have MS Authenticator active. We haven't set up Conditional Access yet, so we haven't specified authentication strengths.
2 Answers
Check what the 'Default sign-in method (Preview)' field states under Users > username > Authentication methods. If it says FIDO2 but still goes straight to TOTP after entering the email, that’s strange. You should ideally have the option for security keys appear first, even without Conditional Access. It sounds like something isn’t triggering as it should.
It looks like Passkeys are based on FIDO2, and WHfB can also function as a FIDO2 method. If users are being asked for a two-digit code without needing a password, it seems like passwordless sign-in requests are at play here. To manage the prompts users see, you would eventually need to use Conditional Access and set up authentication strengths. Otherwise, it appears that the choice is up to the users' preferences.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures