Advanced guide to setting up passkeys on Google, Microsoft, and Apple

 

In a very short time, passkeys have gone from being almost experimental to becoming the standard being pushed by Google, Microsoft, and Apple. to leave behind traditional passwords. If you use Android, iOS, Windows On macOS, you've almost certainly come across a prompt to create a passcode, although it's not always clear what they are exactly or how to configure them properly in each ecosystem.

In this comprehensive guide, we'll take a clear and straightforward look at how passkeys work and how you can configure them step-by-step on Google, Microsoft, and Apple.This includes using Microsoft Authenticator, FIDO2 security keys (such as YubiKey), and iCloud Keychain on your iPhone. We'll also cover requirements, important settings (Bluetooth, AAGUID, policies in Microsoft Sign In ID), common problems, and how to resolve them so you can take advantage of its security without getting overwhelmed.

What are passkeys and why are they more secure than passwords?

A passkey is an authentication system based on public and private key cryptography This allows you to prove your identity without having to remember or type a password. Instead of sending a secret key to the server, your device generates a pair of keys: a public key (which stays with the service) and a private key (which is securely stored on your mobile phone, computer, or other device). password manager compatible).

When you log in with a passkey, the service issues you a "challenge" that your device signs with the private key. After verifying your identity locally using biometrics (fingerprint, Face ID, Windows Hello), device PIN, or similar, the server checks that signature against the public key already associated with your account and, if it matches, grants you access. The important thing is that The private key never leaves your device.so it cannot be leaked in a data breach.

This model drastically reduces the risk of credential theft and phishing attacks.Even if an attacker copies your public key or tries to trick you with a fake website, they cannot generate the correct signature without access to your device and your biometric authentication or PIN. There's also no problem with using the same password across multiple services, because Each passkey is linked to a specific site or app..

Passkeys also integrate multi-factor authentication (MFA) natively and almost invisibly.You combine something you have (the device or FIDO2 token) and something you are or know (biometrics or device PIN) into a single gesture. No more copying SMS codes or opening... apps For authentication, to enter a number, everything is resolved automatically on the device.

The adoption is clear: Apple, Google, and Microsoft have reached an agreement through the FIDO Alliance so that these credentials work interoperably, and there are already hundreds of millions of Google and Microsoft accounts using passkeys, along with services like HubSpot or password managers that have also joined this standard.

Basic requirements for using passkeys on Google, Microsoft, and Apple

Although the concept is similar across all platforms, each ecosystem has some specific technical requirements. which should be followed to ensure everything works properly, especially when we're talking about Microsoft Authenticator and cross-device usage.

In the case of Microsoft Entra ID (formerly Azure AD) and Microsoft AuthenticatorAt a minimum, these points are needed:

• Enable Microsoft Multi-Factor Authentication (MFA) Login for accounts that will use passkeys.
• Mobile devices updated: Android 14 or higher, iOS 17 or higher (and even better if it's iOS 18 to take advantage of the latest autofill settings).
• For registration and authentication between devices (for example, logging in from a PC using a passkey saved on the mobile), it is essential that Bluetooth and an active Internet connection are available on both devices.

Many organizations restrict Bluetooth usage and traffic to certain domains.This can block the flow between devices if the network policy is not adjusted. To properly enable registration and login between devices using FIDO2 passkeys, the organization must allow connectivity without intercepting traffic (no SSL inspection or proxies injecting certificates) to:

Consumer Relations Platform	Required URLs
Android	cable.ua5v.com
iOS	cable.auth.com app-site-association.cdn-apple.com app-site-association.networking.apple

If your company uses proxies, traffic inspection, or very aggressive firewallsThese domains must be explicitly excluded from inspection and directly allowed, or passkey flows between devices will fail without a clear reason for the user.

Configure passkeys in Microsoft: Enter ID, Authenticator, and FIDO2 keys

Microsoft has invested heavily in passkeys, integrating them with Entra ID, Microsoft Authenticator, and FIDO2 keys. so you can log in without a password to apps like Microsoft 365, Copilot, Teams or Outlook on compatible browsers.

1. Enable FIDO2 passkeys in Microsoft Entra ID (administration portal)

If you are an Entra ID administrator, the first step is to enable the “Access Key (FIDO2)” authentication method. For users or groups who will be using it:

1. Access the Microsoft admin center. Log in with at least the role of Authentication Policy Administrator.
2. In the menu, go to Enter ID > Authentication methods > Authentication methods policy.
3. Locate the method Access key (FIDO2) and choose whether it applies to All users or to specific groups (only those admitted security groups).
4. In the SetupCheck these key settings:

• Enable self-service configuration: put it in Yes so users can register their passkeys from “Security Information”. If you leave it in NoYou will have the method enabled in policy, but people will not be able to register it on their own.
• Apply attestationYou can set it in Yes o No. If you are in YesEntra ID will attempt to validate that the access key was created on a legitimate device or application (for example, in Microsoft Authenticator, comparing information with Apple and Google services). Please note that Flows between devices do not support recording "witnessed" keys, only those created directly in the Authenticator app.
• Key restrictionsHere you control which types of passkeys can be registered and used. If you set Apply key restrictions en NoUsers will be able to register any compatible passkey, including those created directly in Authenticator. If you activate it in YesYou need to define which AAGUIDs (FIDO2 authenticator identifiers) are allowed.

To limit yourself to passkeys created in Microsoft AuthenticatorYou can configure the policy to only allow the following AAGUIDs:

• Authenticator for Android: de1e552d-db1d-4423-a619-566b625cdc84
• Authenticator for iOS: 90a3ccdf-635c-4729-a248-9b709135078f

If you select “Restrict specific keys” in “Allow” mode and check “Microsoft Authenticator”The system will automatically add these AAGUIDs to the list. You can also add them manually, along with others you already have in use. Note: If you remove a previously allowed AAGUID, users who have already registered a passkey with that authenticator will no longer be able to use it to log in..

When you're finished adjusting the settings, click Save.If you encounter an error when saving with multiple groups, try applying the changes to only one group per operation and repeat until the configuration is complete.

2. Enable passkeys in Authenticator using Microsoft Graph

In addition to the administration portal, you can also manage the FIDO2 policy using Microsoft GraphThis is very useful if you want to automate deployments or version changes.

From Graph Explorer, with the permissions Policy.Read.All and Policy.ReadWrite.AuthenticationMethod Once accepted, you can:

1. Restore the current FIDO2 policy configuration with:
   GET https://graph.microsoft.com/v1.0/authenticationMethodsPolicy/authenticationMethodConfigurations/FIDO2
2. Update the policy with an operation PATCH for example, Enforce attestation and limit the key to Authenticator AAGUIDs:

Example of PATCH:
PATCH https://graph.microsoft.com/v1.0/authenticationMethodsPolicy/authenticationMethodConfigurations/FIDO2
Request Body:{ "@odata.type": "#microsoft.graph.fido2AuthenticationMethodConfiguration", "isAttestationEnforced": true, "keyRestrictions": { "isEnforced": true, "enforcementType": "allow", "aaGuids": [ "90a3ccdf-635c-4729-a248-9b709135078f", "de1e552d-db1d-4423-a619-566b625cdc84" ] }}

After applying the PATCH, run the GET request again to verify that the policy has been updated correctly. and that the Authenticator AAGUIDs appear as allowed.

3. Bluetooth restrictions in corporate environments

Many organizations disable or limit Bluetooth for security reasonsHowever, this can disrupt the flow of passkeys between devices. Microsoft anticipates this scenario and allows Bluetooth to be enabled. For pairing only with FIDO2 passkey-enabled authenticatorswithout opening the door to other, less controlled uses.

If your company is in this situation, check out Microsoft's guide on "Passkeys in Bluetooth-Restricted Environments"., which details how to allow pairing only with compatible FIDO2 devices, keeping all other restrictions intact.

4. Register and use passkeys in Microsoft Authenticator (iOS and Android)

One of the most convenient ways to use passkeys with Microsoft Entra accounts is to register them within the Microsoft Authenticator app.This gives you single sign-on (SSO) in native Microsoft apps (Teams, Outlook, etc.) on the same device.

Recommended flow: Register by logging into Authenticator (iOS)

On iOS, the preferred method is to log in directly to Authenticator and create the passkey from within the app.:

1. Download Microsoft Authenticator from the App Store and skip the privacy screens.
2. Depending on your case:

• If it's your first installation, in “Protect your digital life” touch “Add a professional or educational account”.
• If you already had it but without accounts, press "Add account" or the button + and choose “Professional or educational account”, then "Log in".
• If you already had an account added, log in to it and tap “Create an access key”.

Complete the multi-factor authentication (MFA) required by your organization. (codes, push notifications, etc.).

Set up a screen lock on your iPhone if you don't already have one enabled. (This is required to use Authenticator as a passkey provider.) Then, from within the app itself, enable Authenticator as a passkey provider.

In iOS 18 go to Settings > General > AutoFill & Passwords; in iOS 17 go to Settings > Passwords > Password Options. active “Autofill passwords and access keys” and select Authenticator as a source of autocomplete.

When you return to Authenticator, press “Done” / “Listo” to confirm that Authenticator is your passkey provider.The new key will appear as the login method for your account, and you will see the passkey information from the account details.

Registering a passkey from “Security Information” (iOS)

Another option is to start from the "Security info" screen in the browser and let it guide you to create the key in Authenticator.:

1. On the same iPhone where Authenticator is installed, or on another device (for example, a laptop), open your browser and log in with MFA. Safety information.
2. Click on “+ Add login method” and choose “Access key in Microsoft Authenticator”.
3. If prompted, press Next and completes MFA.
4. If you don't already have Authenticator, the assistant will let you scan a QR code to install it from the App Store, and then continue.
5. You will be prompted to open Authenticator to create the passkeyOpen the app, skip the privacy screens if necessary, and add your account just like in the previous flow (or go in and tap “Create an access key” (if the account already exists).
6. Complete MFA, set up screen lock if you don't already have one, and enable Authenticator as your passkey provider.
7. Check the settings on iOS Autocomplete passwords and access keys to make sure Authenticator is selected.
8. Go back to Authenticator, press Done / Ready and verify that you see the associated passkey.
9. Return to the browser, press Next and wait for the assistant to confirm that the passkey has been created.
10. Once created, it will be displayed in the "Security Information" methods list..

Alternative flow using WebAuthn from “Security Information” (iOS)

If you have trouble logging into Authenticator during registration, you can opt for an alternative flow using WebAuthn. To create the passkey directly on the iOS device:

It is important that both the device opening “Security Information” and the iPhone have active Internet and Bluetooth.In addition, the domains mentioned above (cable.ua5v.com, cable.auth.com and Apple domains for site association) must be allowed in the corporate environment.

1. En Safety informationWhen adding a passkey in Authenticator, tap “Are you having problems?”.
2. Select the option to “create the passkey in another way”.
3. Choose “iPhone or iPad” and follow the on-screen steps to register the passkey on the device.

If at any point you want to return to the original flow (going through Authenticator), from the very notice of “Are you having problems?” You can choose the option to create the passkey by logging into Authenticator.

Delete registered passkeys in Authenticator for iOS

If you need to delete a passcode from Authenticator on iPhone, log into your account, tap "Settings," and then tap "Delete Passcode."Don't forget that you'll also need to delete it from Safety information if it keeps showing up there.

Recommended flow: Register by logging into Authenticator (Android)

On Android, the recommended workflow is very similar to that of iOS.:

1. Install Microsoft Authenticator from Google Play, open it, and go through the privacy screens.
2. Add your professional or educational account:

• First time: in “Protect your digital life”, press “Add a professional or educational account”.
• If you already had the app without accounts: tap "Add account" or the button +, choose “Work or educational account” and then "Log in".
• If the account is already added: log in to it and tap “Create an access key”.

Complete MFA, set up screen lock if needed, and enable Authenticator as the access key provider.The assistant will usually guide you to:

1. Android settings > Passwords and accounts.
2. In the section “Additional suppliers”, Make sure that Authenticator is selected.

When you return to Authenticator, press “Done” to confirm.You'll see that the passkey has been added as a login method for your account, and it will be used alongside passwordless login and MFA according to your organization's policies.

Registering a passkey from “Security Information” (Android)

You can also start the process from “Security Information” in the browser of your Android device or another device.:

1. On your Android device, open your browser and log in with MFA. Safety information.
2. Balance “+ Add login method” and select “Access key in Microsoft Authenticator”.
3. If necessary, press Next and complete the MFA again.
4. If you don't already have Authenticator, you can scan a QR code to download it from Google Play.
5. The assistant will ask you to open Authenticator to create the passkey; open the app and add or select your account just like before.
6. Complete MFA, set up a screen lock if one doesn't already exist, and enable Authenticator as your access key provider. Passwords and accounts > Additional providers.
7. Go back to Authenticator, press Done / Ready and make sure you see the passkey as a login method.
8. Return to the browser, press Next and wait for the wizard to verify that the access key has been created correctly.
9. The new key will appear in the list of methods within “Security Information”.

Alternative flow with WebAuthn from “Security Information” (Android)

If you cannot log in to Authenticator to register the passkey, you can do so directly from WebAuthn.:

You need Bluetooth and an internet connection, and your organization must allow connectivity to:

• cable.ua5v.com
• cable.auth.com

1. En Safety informationWhen adding a passkey in Authenticator, press “Are you having problems?”.
2. Choose the option for create the passkey another way.
3. Choose "Android" and complete the guided flow to register the passkey on the device.

If later you want to return to the original flow (create the key by logging into Authenticator), in the same problems dialog you can select that path again.

Remove passkeys in Authenticator for Android

To delete a passkey from Authenticator on Android, tap the account name, go to “Settings” and select “Delete passkey”In most cases, it's also removed from "Security Information"; if not, go there and tap Delete to remove it.

Using FIDO2 security keys (YubiKey and similar) with Microsoft

In addition to passkeys synchronized with Authenticator, Microsoft continues to allow the registration of physical FIDO2 security keys.on both iOS and Android. The typical process is:

• Walk into Safety information from the mobile browser.
• Select “Password” or similar.
• In the security dialog, choose the option “Save in a different way” and then “Another device” o “USB security key” as indicated.
• Connect the security key to the device (USB, NFC or Lightning), enter the PIN or biometric data specific to the key and confirm.
• At the end, the website will ask you to give the password a name for easy recognition, and then press Ready.

This method is ideal if you want an extra layer that doesn't depend solely on the mobile device.since a YubiKey or similar can also be used in other FIDO2 services.

5. Enforce the use of passkeys on sensitive resources (Authentication Strength)

If in your organization you want certain critical apps to only be usable with FIDO2 passkeysYou can rely on the “Authentication strengths” from Enter ID along with conditional access.

1. Enter the Microsoft admin center. Sign in as a conditional access administrator.
2. Go to Login ID > Authentication methods > Authentication strengths.
3. Create a new authentication strength, give it a descriptive name and, if you want, a description.
4. Brand “Access keys (FIDO2)” and open the Advanced Options.
5. Select the option Phish-resistant MFA or specifically add the AAGUIDs of the passkeys in Authenticator:

• Android: de1e552d-db1d-4423-a619-566b625cdc84
• iOS: 90a3ccdf-635c-4729-a248-9b709135078f

Save the new authentication strength and apply it to a conditional access policy. that affects sensitive apps or resources where you want to require FIDO2 passkeys.

6. Deleting passkeys from the administrator's point of view

If a user deletes a passkey from Authenticator, it will also be removed from their login methods in Enter ID.Now, a policy administrator can enter the Admin Center, search for the user, and go to Authentication methods and manually remove a “Passkey” method.

Deleting the passkey from the portal does not delete the key stored in AuthenticatorSo, unless the user also deletes the key within the app, it could still exist locally even though it is no longer valid for logging in.

How to use passkeys with Apple: iPhone, iCloud Keychain, and apps

In the Apple ecosystem, passkeys are integrated within the Passwords app (iCloud Keychain). and they sync across your Apple devices using your iCloud account. This allows a passkey created on your iPhone to also be available on your Mac, iPad, etc.

To create a passkey on a compatible website or app from your iPhone, the usual steps are:

1. Go to the service's login screen in Safari or an app that supports passkeys and, depending on your situation:

• If you are creating a new accountTap the button or link create Account and follow the wizard until the option to use a passkey appears.
• If you already have an accountLog in with your username and password, go to account or security settings, and look for the option to add or manage access keys.

When the site prompts you to save an access key, tap “Continue”The passkey will be created and automatically stored in Passwords within the system (what used to be “Passwords and keychain”).

You can have both a password and a passkey on the same website or app.Both will appear grouped under the same entry in the Passwords app. When you log in, iOS will show you suggestions to choose between using your passcode or your classic password.

Apple also allows you to save a passkey on a security key. hardwareIf you see options like “Other options”, “Save to another device” or similar, you can redirect the passkey creation to a YubiKey or another compatible FIDO2 token, following the on-screen instructions.

To use your iPhone passkeys from a Windows computer using a QR code (cross-platform scenario)The flow should work in browsers like Edge or Chrome as long as:

• The mobile phone and the PC are connected to the Internet.
• Bluetooth must be active on both devices.
• The network does not block the domains necessary for the exchange (such as cable.* and Apple).

If, when scanning the QR code from your iPhone on your Windows PC, you see a message like “The operation could not be completed. Please try again”First, check those connectivity and Bluetooth settings. In many cases, the problem stems from security or network policies that are blocking the connection, not so much from the browser itself.

Passkeys in Google (Android) and third-party managers

On Android, Google integrates passkeys into the Google account password manager. and it also allows other access key administrators (such as certain password managers) to register and synchronize these credentials.

When a compatible service offers to create a passkey on an Android deviceYou will usually see a system dialog box asking where you want to save the key: in your Google account, in a third-party password manager, or even on "another device" (for example, a USB or NFC security key).

This flexibility allows you to have multiple passkeys for the same service on different authenticatorsOne linked to your Google ecosystem, another to Apple (if you also use an iPhone), and another in your password manager. All will follow the FIDO2/WebAuthn standard, but each will be associated with a different "site" or authenticator.

Services like HubSpot integrate passkeys by relying precisely on these system authenticators (Windows, macOS, compatible browsers, or third-party managers). From your security panel, you can:

• Set up a personal access key from General > Security > Configure access keys.
• Add more access keys if you use multiple devices (for example, one on your Mac and another on your Android) using “Add another access key”.
• Allow super administrators to enable passkeys as an additional login method for users, always requiring that there is at least one alternative method while the feature is in beta.

Once the passkey is set up in HubSpot, you can use it in both the desktop browser and the mobile apps for iOS and Android. (even though its initial creation is done on the computer). When logging in, simply choose "Log in with access key" and confirm using biometrics or the device's PIN.

Password managers that support passkeys act as a cross-platform bridgeThey allow you to have a single access key that works on Windows, macOS, Android and iOS, regardless of the ecosystem, as long as you have the manager installed and the session started.

Troubleshooting common passkey problems

Although the concept greatly simplifies logging in, in practice there are several typical problems you may encounter when using passkeysespecially when combining devices and strict corporate networks.

In Microsoft Authenticator (both iOS and Android), it is possible that the passkey is created locally but does not get registered on the server.This can happen if:

• The passkey provider is blocked by policy.
• The connection is cut off or expires during the process.
• There is a permissions problem in the FIDO2 policy or in the allowed AAGUIDs.

If, when you try to register again, you see an error message saying that the access key already existsHowever, it doesn't actually appear as a valid method in "Security Information," so the most effective method is usually:

• Log into the Authenticator app.
• Locate the locally created passkey.
• Delete that access key from the app.
• Restart the registration flow from scratch (either from Authenticator or from “Security Information”).

Another classic problem is that passkey flows between devices (QR between iPhone and Windows, for example) fail without a clear explanation.The clue here is almost always in:

• Bluetooth disabled or restricted.
• Limited Internet connectivity.
• Required domains blocked or intercepted by the organization's network.

If you use physical FIDO2 security keys, you may also encounter errors when reinserting the key or validating the PIN.In such cases, it is advisable to try a different port, check that the browser supports unrestricted WebAuthn, and, if using a mobile device, check that the adapter (USB-CLightning) has OTG compatibility or equivalent.

Finally, don't forget that some embedded environments, such as the browser integrated into the Outlook desktop app, may not support this feature.They don't yet support passkeys, even though the same service does accept them in a full browser. This is the case, for example, with HubSpot in the Outlook add-in: the passkey works in Outlook Web, but not from the embedded browser in the desktop app.

The leap to a passwordless world is being built on passkeys and is already a reality at Google, Microsoft, and Apple.If you properly configure the requirements (MFA, Bluetooth, allowed domains), adjust Entra ID policies, leverage Microsoft Authenticator, iCloud Keychain on iPhone, and Google or third-party key managers, you can have a much faster, more convenient, and phishing-resistant login experience, leaving passwords only as a contingency plan and not as the primary access method.