Roll out FIDO2 Security Keys

Implementation Effort: High – Deploying FIDO2 security keys requires configuring Microsoft Entra ID policies, distributing hardware tokens, and coordinating user onboarding and support.

User Impact: Medium – Subset of users (e.g. Users with high privileged) must register and learn to use new hardware-based sign-in methods, requiring training and communication.

Overview

Rolling out FIDO2 security keys introduces a phishing-resistant, passwordless authentication method that enhances security and user experience. FIDO2 keys use public-key cryptography, allowing users to authenticate without passwords by using a physical device like a USB key, which can include biometrics or PINs. This aligns with Zero Trust principles by enforcing strong, hardware-backed credentials ("Verify explicitly") and reducing reliance on passwords, which are susceptible to phishing attacks ("Assume breach").

To implement FIDO2 keys, administrators must enable the authentication method in Microsoft Entra ID, configure Conditional Access policies to enforce their use, and guide users through the registration process. Users can register their FIDO2 keys by navigating to their security info page and adding a new sign-in method .

Neglecting to deploy FIDO2 keys may leave the organization vulnerable to credential-based attacks and hinder progress toward a passwordless, Zero Trust security model.

Reference

• Passwordless authentication options for Microsoft Entra ID
• Plan a phishing-resistant passwordless authentication deployment
• Support for FIDO2 authentication with Microsoft Entra ID
• Enable passkeys (FIDO2) for your organization
• Register a passkey (FIDO2) with a FIDO2 security key