FIDO2 Security Key Enrollment for Microsoft MFA on Windows

Owned by Joshua Jones
Last updated: Oct 09, 2024
3 min read

Staff who have an administrative role in Microsoft 365 are required to use Microsoft MFA. ITS recommends the use of Microsoft’s Authenticator App which is available on iOS and Android, but staff also have the option of purchasing a physical security key that will negate the need for entering their password. Follow this guide to setup a physical security key.

ITS recommends that you use the Microsoft Authenticator App instead of a physical security key. To learn about the app, visit .

Security Keys must meet the FIDO2 specification for use with Microsoft Multi-Factor Authentication. Compatibility must be verified with the manufacturer. “YubiKeys” by Yubico are a popular brand, and a compatibility list can be found here: Compatible YubiKeys

If you receive an error relating to an AAGUID or compatibility, please open a ticket with ITS

This guide is confirmed to work with Windows 11 and Windows 10 computers and has not been tested on other Windows versions or other operating systems, such as Linux.

Enroll in Microsoft MFA with a FIDO2 Security Key

  1. Navigate to https://mysignins.microsoft.com/security-info with your Microsoft 365 admin account (NetIDAdmin)

  2. If you do not have an existing Microsoft MFA configuration, you will only see Password as a listed method.

    The Microsoft security info section only showing a Password as a sign-in method

  3. Click Add sign-in method and choose Authenticator App. For detailed instructions on setting up the Authenticator App, view the instructions on this guide. If you do not prefer to use the Microsoft Authenticator app, you may choose another available method.

    A small window prompting you to select a multi-factor authentication method, with a drop down menu

  4. Return to https://mysignins.microsoft.com/security-info, click Add sign-in method, and choose Security key

  5. Depending on the type of security key you have, choose a USB or NFC device

  1. Choose Security key in the Windows prompt

    1. On Windows 10, choose “Save another way” in the bottom left of the prompt, choose “Use an external security key” on the screen that follows, then choose Security key

  2. Provide a PIN that will be stored in your security key for later use

  3. You will be prompted to touch / interact with your security key to complete the setup. Once you see the below confirmation stating “You’re all set!”, you have successfully enrolled in Microsoft MFA using a security key.

  1. The next time you sign-in to a Microsoft service with your admin account, you will be prompted for your password. Choose the “Use your face, fingerprint, PIN, or security key instead” option to use your security key. After doing so, you will be prompted to use your security key on subsequent logins by default.

Related Guides