Setup passkeys as MFA method for password less sign in

This guide helps end users register a passkey for their Microsoft work or school account.

It is written for users, not tenant administrators.

What is a passkey

A passkey is a phishing-resistant authentication method based on FIDO2 standards. Depending on your organization's policy, the passkey can be:

• stored in Microsoft Authenticator
• stored on a hardware security key
• stored by a supported platform or passkey provider

Before you begin

You need:

• a Microsoft work or school account
• permission from your IT team to use passkeys
• a supported device and browser
• Microsoft Authenticator if your organization uses Authenticator-based passkeys
• a recently completed MFA challenge or a Temporary Access Pass if your IT team provided one

Recommended sign-in portal

Use:

https://mysignins.microsoft.com

Then open Security info.

Typical registration flow

1. Sign in to My Sign-Ins
2. Open Security info
3. Select Add sign-in method
4. Choose the passkey option allowed by your organization
5. Follow the prompts on your device
6. Complete the biometric or device verification
7. Finish registration and test sign-in

Best practices for users

• register at least one backup sign-in method
• do not remove your existing MFA method until testing is complete
• if possible, register more than one strong method
• test the new sign-in method immediately after setup

Summary

Passkeys provide a modern, phishing-resistant, passwordless sign-in option for Microsoft work and school accounts.