8 October, 2022

Where can I use Passkeys?

This article was written to help IT and Security specialists understand where Passkeys are currently supported, and how to enable it.

I expect things to change pretty quickly, so if you're interested in Passkeys, you might want to check the Changelog and check back often.

What do I need to do?

First, you will need a compatible browser, which means Google Chrome on Windows, Linux, or macOS; Microsoft Edge on Windows or macOS; or Safari on macOS 13 or later.

Firefox doesn't currently support the CTAP2 specification. You can track Firefox support on the meta ticket: Bugzilla #1530370

Second, you will need a compatible phone: which means a device running iOS 16, or Android 13.

As you setup Passkeys, I strongly recommend also setting up a traditional Yubikey (either the 5 Series, or Security Key 2), so that you can test Passkeys, USB, and NFC login use cases; but that's completely up to you.

What Services support Passkeys?

In the below table, the columns mean:

  • FIDO2 Support means that the service has basic support for FIDO2/WebAuthn, and will work with a Yubikey Security Key 2
  • Passkeys means that the service works with Passkeys. In theory, all services that support FIDO2/WebAuthn should support Passkeys, but I've found some currently don't.
  • Passwordless means that you can login without needing to type a password first. At some point, this will be extended to mean removing password authentication from the service, and only login with FIDO2 (either through Yubikeys or Passkeys).
Service FIDO2 Support? Passkeys? Passwordless?
Work Accounts
Okta
Auth0
Azure AD
Personal Accounts
Windows Live
Google
Apple ID
Social Media
Facebook
Twitter
Developer Tools
GitHub

Note: I have purposefully ordered this table by the services that get the most green ticks first. Big props to Auth0, Okta, and Microsoft for leading the way!

Setup instructions

Azure AD

Enrolling Passkeys is not currently supported for Azure AD. It gets close, but at the last stage it stops with an obscure error.

Setting up FIDO2 Security keys is a 3 step process:

  1. In the Azure AD portal, ensure the combined security information registration experience is enabled in the Azure AD User settings
  2. Enable the FIDO2 Security Key option in the Authentication Methods settings
  3. Ensure this method is Enabled for your target users, and on the Configure tab, ensure that Enforce attestation and Enforce key restrictions is set to No. As of 2022-10-04, passkeys do not support attestation; iOS 16.0 returns an AAGUID of 00000000-0000-0000-0000-000000000000.
  4. As a user, head to https://aka.ms/mfasetup and follow the prompts to enrol a FIDO2 Security Key.

Okta

Following the instructions in the Okta Webauthn documentation, the steps to enable FIDO2 roughly follow:

  1. Make sure that the FIDO2 Multifactor Type is Active, and that the FIDO2 is Available or Required in the Factor Enrolment policy
  2. In the Sign-on Authentication Policy, that either users will authenticate with Password + Any Authenticator, or that FIDO2 is available as an OR option in the Authentication Sequence
  3. (optionally) To enable a Passwordless experience, create a Sign-on Authentication Policy that only has FIDO2 in the Factor Sequence

Auth0

Note: Using WebAuthn on Auth0 for user sign-on requires an Enterprise plan, but it seems to work without one in Development accounts.

  1. Go to Security > Multi-factor Auth, and enable the WebAuthn with FIDO Security Keys option.
  2. (optionally) To enable a Passwordless experience, set the Authentication Profile to Identifier First + Biometrics

Auth0 doesn't have a end-user login portal, so the easiest way to test this is to setup a SPA application with https://openidconnect.net/

Windows Live

Simply head to https://account.live.com/proofs/Manage/additional, click Add a new way to sign in or verify, select Security Key, and away you go!

Google

Google still prefer users use their Smart Lock app for mobile sign-on, and don't currently support FIDO2. FIDO2 Security Keys still work, by falling back to the original FIDO CTAP1.

If you go to https://myaccount.google.com/two-step-verification/security-keys, click Add security key, and then select Physical USB or NFC key, the site tries to use the original CTAP1 API, which doesn't work with Passkeys.

Facebook

Go to https://www.facebook.com/security/2fac/settings/, next to Security Key click Set Up, and follow the prompts.

Twitter

Go to https://twitter.com/settings/account/login_verification, enable Security key, and follow the prompts to enrol a new key.

Changelog

  • 2022-10-08 initial article.
Tagged: