Microsoft Authenticator - Device-bound Passkey

A device‑bound passkey stored locally in Microsoft Authenticator app on your mobile device is tied to a single device or authenticator instance and does not sync, meaning it must be re‑registered on each new device. It uses biometrics or a PIN to prove your identity and is resistant to phishing while providing tighter control than synced passkey by keeping the credential confined to one device. 

To use a passkey stored in MS Authenticator app on either a University-owned or a personal smartphone or tablet used for work or school you will need to:

  • ensure your device is running Android 14 or newer, or iOS/iPad OS 17 or newer
  • enroll device in Intune, if not already enrolled
  • install MS Authenticator app and link it to your University account, if not already installed and linked
  • configure MS Authenticator as a preferred service for passkeys 
  • generate the passkey for your UWin Account

You will need to be at a computer and have your mobile device with you to set up this option.

Personal devices used for work
The prerequisite for this setup is that your mobile device has to be enrolled in Intune. If you are already using MS Authenticator app on your device for MFA but it is not yet enrolled in Intune, you will be prompted to do so during this setup. Enrolling your personal device in Intune splits it into two zones: Personal and Work. Only the work space is managed by IT Services using Intune. Your personal apps, photos, texts, call history, and browsing are not visible to the University.
Android: all personal devices are enrolled this way by default
iOS/iPadOS: Intune enrolment with personal/work profile is available upon request. 

 

Step 1: Install Microsoft Authenticator on your phone

If this app is not yet installed on your mobile device because it was not enrolled in Intune:

  1. Open the app store:
    • iPhone: App Store
    • Android: Google Play Store
  2. Search for Microsoft Authenticator
  3. Install the app published by Microsoft Corporation
  4. Open the app once installation is complete
  5. Tap Allow to allow the app to send your notifications
  6. Tap Accept to acknowledge Microsoft's privacy statement
  7. Tap Continue on the next screen; this will bring you to a screen with three buttons
  8. Tap Add work or school account button

You should now see a box with two options: "Scan a QR" code and "Sign in." Put your phone down for now and switch to your computer. 

  1. On your computer, open a web browser
  2. Go to: myprofile.microsoft.com
  3. Sign in using your work or school account
  4. If prompted, complete any existing MFA challenge

You should now see the Security info page where you will need to add Microsoft Authenticator as a sign‑in method:

  1. On the Security info page, select Add sign‑in method
  2. From the list, choose Microsoft Authenticator

    Uploaded Image (Thumbnail)
     
  3. Click Next on Install Microsoft Authenticator screen
  4. Click Next on Setup your account in app screen
  5. Go back to you phone and tap Scan a QR code option
  6. Tap While using this app to allow Authenticator app to take pictures and record video
  7. Use your phone, to scan the QR code shown on your computer screen
  8. Tap OK on App Lock Enabled screen on your phone
  9. Click Next 
  10. Enter the number shown on your computer screen in the box on Are you trying to sign in screen on your phone and tap Yes 
  11. Tap Done on Authenticator added screen on your computer

✅ Microsoft Authenticator is now registered for MFA in your University of Windsor Microsoft work/school account (UWin Account).

Print Article

Related Articles (1)

Microsoft Authenticator - Overview
Microsoft Authenticator is a free mobile app from Microsoft for iPhone, iPad, and Android devices that helps protect your UWin Account (Microsoft work/school account). Passwords alone are no longer enough to keep accounts secure. Microsoft Authenticator adds an extra layer of protection that helps prevent unauthorized access, even if someone else knows your password.