/
FIDO2 Security Key Enrollment for Microsoft MFA on Windows

FIDO2 Security Key Enrollment for Microsoft MFA on Windows

Staff who have an administrative role in Microsoft 365 are required to use Microsoft MFA. ITS recommends the use of Microsoft’s Authenticator App which is available on iOS and Android, but staff also have the option of purchasing a physical security key that will negate the need for entering their password. Follow this guide to setup a physical security key.

ITS recommends that you use the Microsoft Authenticator App instead of a physical security key. To learn about the app, visit Microsoft MFA Enrollment.

Security Keys must meet the FIDO2 specification for use with Microsoft Multi-Factor Authentication. Compatibility must be verified with the manufacturer. “YubiKeys” by Yubico are a popular brand, and a compatibility list can be found here: Compatible YubiKeys

If you receive an error relating to an AAGUID or compatibility, please open a ticket with ITS

This guide is confirmed to work with Windows 11 and Windows 10 computers and has not been tested on other Windows versions or other operating systems, such as Linux.

Enroll in Microsoft MFA with a FIDO2 Security Key

An existing Microsoft MFA method is required to enroll a security key. If you do not prefer to use the Microsoft Authenticator app, you may request a Temporary Access Pass by emailing techsupport@uconn.edu with the subject “MS MFA Temp Access Pass Request”. If you already have an existing Microsoft MFA method, skip to step 4.

  1. Navigate to https://mysignins.microsoft.com/security-info with your Microsoft 365 admin account (NetIDAdmin)

  2. If you do not have an existing Microsoft MFA configuration, you will only see Password as a listed method.

    The Microsoft security info section only showing a Password as a sign-in method

  3. Click Add sign-in method and choose Authenticator App. For detailed instructions on setting up the Authenticator App, view the instructions on this guide.

    A small window prompting you to select a multi-factor authentication method, with a drop down menu

  4. Return to https://mysignins.microsoft.com/security-info, click Add sign-in method, and choose Security key

    A small window saying To set up a security key, you need to sign in with two-factor authentication

  5. Depending on the type of security key you have, choose a USB or NFC device

USB security keys are more compatible in certain scenarios, like Remote Desktop Sessions

Small window with choices of USB device or NFC device

  1. Choose Security key in the Windows prompt

    Window asking where to save the passkey, showing options for mobile device, or security key

    1. On Windows 10, choose “Save another way” in the bottom left of the prompt, choose “Use an external security key” on the screen that follows, then choose Security key

      image-20240927-223359.png

      a small window prompting you to Choose where to save your passkey for login.microsoft.com with Use a phone, tablet or security key, or Use an external security key as options

  2. Provide a PIN that will be stored in your security key for later use

    Window saying Continue setup, prompting the user to enter and confirm a security key PIN

  3. You will be prompted to touch / interact with your security key to complete the setup. Once you see the below confirmation stating “You’re all set!”, you have successfully enrolled in Microsoft MFA using a security key.

    Window detailing that the setup was successful

  1. The next time you sign-in to a Microsoft service with your admin account, you will be prompted for your password. Choose the “Use your face, fingerprint, PIN, or security key instead” option to use your security key. After doing so, you will be prompted to use your security key on subsequent logins by default.

    image-20240927-215117.png

Related Guides