Microsoft Authenticator and Passkey (FIDO2): A Complete Guide for SC-300
Why Is This Important?
Passwords have long been the weakest link in identity security. They can be phished, guessed, sprayed, or stolen through database breaches. Microsoft Authenticator and Passkey (FIDO2) represent the evolution toward passwordless authentication, a core objective of modern Zero Trust architectures. For the SC-300 (Microsoft Identity and Access Administrator) exam, understanding these technologies is critical because they sit at the heart of implementing strong authentication and access management in Microsoft Entra ID (formerly Azure AD). Microsoft is actively pushing organizations toward passwordless methods, making this a heavily tested topic.
What Is Microsoft Authenticator?
Microsoft Authenticator is a mobile application (available on iOS and Android) that serves multiple authentication purposes:
1. Passwordless phone sign-in – Users receive a number-matching push notification and approve the sign-in using biometrics or a PIN on their device.
2. Push notification MFA – A second-factor verification method where users approve or deny a sign-in attempt.
3. OATH TOTP codes – Time-based one-time passcodes generated within the app, similar to other authenticator apps.
4. Passkey provider – Starting in 2024, the Authenticator app can also store and use device-bound passkeys (FIDO2 credentials).
When configured for passwordless sign-in, the Authenticator app registers the device with Microsoft Entra ID and ties a cryptographic key pair to the device and the user's biometric or PIN. The private key never leaves the device, and the public key is stored in Entra ID. This eliminates the password from the authentication flow entirely.
What Is Passkey (FIDO2)?
FIDO2 (Fast Identity Online 2) is an open authentication standard developed by the FIDO Alliance and the W3C. It enables passwordless, phishing-resistant authentication using public-key cryptography. A FIDO2 credential is often referred to as a passkey.
FIDO2 consists of two components:
- WebAuthn (Web Authentication API) – A browser/platform API that allows websites and applications to use public-key credentials.
- CTAP2 (Client to Authenticator Protocol) – The protocol that enables external authenticators (such as USB security keys, NFC devices, or Bluetooth authenticators) to communicate with the client platform.
In the Microsoft ecosystem, FIDO2 security keys can be:
- Hardware security keys (e.g., YubiKey, Feitian, AuthenTrend) – physical USB, NFC, or Bluetooth devices.
- Platform authenticators – built-in biometric sensors like Windows Hello or device-bound passkeys stored in Microsoft Authenticator.
How Does FIDO2 Authentication Work?
1. Registration: The user registers a FIDO2 security key or passkey with Microsoft Entra ID. A unique public-private key pair is generated. The private key stays on the authenticator device, and the public key is registered in Entra ID.
2. Authentication: When signing in, the user inserts or taps their security key (or uses their platform authenticator). The service sends a cryptographic challenge. The authenticator signs the challenge with the private key after verifying user presence (touch, biometric, or PIN).
3. Verification: Entra ID verifies the signed challenge using the stored public key. If valid, the user is authenticated — no password is transmitted or stored.
This process is inherently phishing-resistant because the credential is bound to the specific origin (domain). A phishing site on a different domain cannot trigger the correct cryptographic response.
How to Configure These Methods in Microsoft Entra ID
1. Navigate to Microsoft Entra admin center → Protection → Authentication methods → Policies.
2. Enable Microsoft Authenticator and configure it for the target users or groups. Under the configuration, you can set the authentication mode to Passwordless, Push, or Any. You can also enable number matching (now enforced by default) and additional context (application name and geographic location shown in the notification).
3. Enable Passkey (FIDO2) for target users or groups. You can optionally enforce key restrictions using AAGUIDs (Authenticator Attestation GUIDs) to allow or block specific FIDO2 key models. You can also enable self-service registration.
4. Users register their methods via https://mysecurityinfo.microsoft.com or during a combined registration experience.
Key Differences Between Microsoft Authenticator and FIDO2 Security Keys
- Form factor: Authenticator is a mobile app; FIDO2 keys are typically physical hardware tokens (though passkeys in Authenticator blur this line).
- Dependency: Authenticator requires a smartphone with internet connectivity and the app installed; FIDO2 keys work without a phone and may not require network connectivity on the key itself.
- Platform support: FIDO2 keys work across platforms (Windows, macOS, Linux, mobile) via USB/NFC/BLE. Authenticator passwordless sign-in is tied to the mobile device where the app is installed.
- Phishing resistance: Both are phishing-resistant when used for passwordless sign-in. FIDO2 is considered the gold standard for phishing resistance by the FIDO Alliance.
- Shared device scenarios: FIDO2 security keys are ideal for shared workstation environments (e.g., frontline workers, healthcare, manufacturing) because the key is portable and not tied to a personal phone.
Passkeys in Microsoft Authenticator
Microsoft now supports device-bound passkeys stored in the Microsoft Authenticator app. This combines the convenience of the Authenticator app with the FIDO2 standard. These passkeys are:
- Device-bound (not synced across devices, unlike some consumer passkey implementations).
- Registered as FIDO2 credentials in Entra ID.
- Usable for cross-device authentication scenarios using QR codes and Bluetooth proximity.
Conditional Access Considerations
- You can require authentication strength in Conditional Access policies. Microsoft provides built-in authentication strengths like Passwordless MFA and Phishing-resistant MFA.
- Phishing-resistant MFA authentication strength includes FIDO2 security keys, Windows Hello for Business, and certificate-based authentication — but not standard Authenticator push notifications.
- Passwordless MFA authentication strength includes FIDO2 security keys, Windows Hello for Business, and Microsoft Authenticator passwordless phone sign-in.
- You can also create custom authentication strengths to specify exactly which methods are acceptable.
Prerequisites and Requirements
- Microsoft Authenticator passwordless: Requires Microsoft Entra ID (any edition supporting MFA), the Authenticator app registered with push notifications, and the device must have a screen lock (biometric or PIN).
- FIDO2 security keys: Require a FIDO2-compatible key, a supported browser (Edge, Chrome, Firefox, Safari), and Windows 10 version 1903+ for native Windows sign-in. For Entra joined or hybrid Entra joined devices, additional requirements may apply.
- Both methods require the combined registration experience to be enabled.
Common Scenarios Tested on the Exam
- Choosing the correct authentication method for frontline/shared device workers (answer: FIDO2 security keys).
- Configuring authentication method policies for specific groups.
- Understanding the difference between MFA push notifications and passwordless phone sign-in in the Authenticator app.
- Knowing which methods qualify as phishing-resistant MFA.
- Restricting FIDO2 keys by AAGUID.
- Understanding how number matching and additional context improve security in Authenticator push notifications.
Exam Tips: Answering Questions on Microsoft Authenticator and Passkey (FIDO2)
1. Know the authentication strengths: When a question asks for phishing-resistant MFA, remember that only FIDO2 security keys, Windows Hello for Business, and certificate-based authentication qualify. Microsoft Authenticator push notifications (even with number matching) are not phishing-resistant. Authenticator passwordless phone sign-in is passwordless but not classified as phishing-resistant in the built-in strength definitions.
2. Shared device scenarios = FIDO2 keys: If the question describes kiosk workers, frontline workers, or shared workstation environments, FIDO2 hardware security keys are almost always the correct answer because they are portable and do not require a personal smartphone.
3. AAGUID restrictions: If a question mentions limiting which FIDO2 keys can be used, the answer involves configuring key restrictions using AAGUIDs in the FIDO2 authentication method policy.
4. Number matching is now default: Questions about reducing MFA fatigue attacks (accidental approvals) should reference number matching and additional context in Authenticator push notifications.
5. Registration location: Users register authentication methods at https://aka.ms/mysecurityinfo (My Security Info). Administrators configure policies in the Entra admin center under Protection → Authentication methods.
6. Conditional Access + Authentication Strength: When a question requires enforcing specific authentication methods, the answer is to use a Conditional Access policy with a Require authentication strength grant control, not just Require MFA (which accepts any MFA method).
7. Differentiate Authenticator modes: The Authenticator app can operate in three modes — OATH TOTP, push notification MFA, and passwordless phone sign-in. Questions may test whether you can distinguish these. Passwordless phone sign-in is configured separately and provides a different user experience (number matching is integral, and no password is entered).
8. Device-bound vs. synced passkeys: Microsoft Entra ID supports device-bound passkeys (stored on a specific device or security key). Be cautious about questions mentioning synced passkeys — Microsoft's implementation in Authenticator uses device-bound passkeys for enterprise scenarios.
9. Migration strategy: If a question discusses moving from passwords to passwordless, the typical Microsoft-recommended approach is: enable MFA first → roll out Authenticator passwordless or FIDO2 → use authentication strengths in Conditional Access to enforce passwordless → eventually disable password as a method.
10. Read carefully for licensing and hybrid requirements: FIDO2 sign-in to hybrid Entra joined devices requires specific configurations (Entra Kerberos). If a question describes an on-premises or hybrid scenario with FIDO2, look for whether Entra Kerberos or Azure AD Kerberos trust is mentioned.
By mastering these concepts, you will be well-prepared to handle any SC-300 exam question related to Microsoft Authenticator and Passkey (FIDO2) authentication methods.
