Passkey as (mandatory) 2FA

Is there a way to accept a Passkey entry as 2fa.

We are using Windows Hello as a platform passkey provider for our staff, and this works ok (enrollment sometimes does not recognize that the platform has locally TPM in Hello and therefore Edge only offers to enroll via QR code. I haven’t found out what’s causing this but I guess it’s a äwindows or EntraID problem, so doesn’t matter for this question.)

Anyway since our staff now has password less logins I could finally make 2FA mandatory for logins. However this doesn’t really work for people who have only local account password and a passkey (no Authenticator or Security Key) - they are still asked to provide a 2FA method in addition.

I would expect it accepts Passkeys (at least if the user agent confirms it checked presence or second factor).

Can this be enabled/accepted? Can I maybe accept it for my Enterprise
Passkey storage in WHfB only?

I saw a comment that you can register a passkey as a 2FA security key (again), is that the way to go (I would like to avoid it because of the above described enrollment problems, haven’t been able to test that yet)

2 Likes

Yes, this is on our todo list. This would be a usability improvement, since browsers now bundle passkeys and security keys together. And there’s no security downside here, under the hood a passkey is the same as a security key, the only difference is that a passkey can be used for login without a password.

4 Likes