After adding a passkey to their MFA authentication options and being subject to a Conditional Access policy that requires phishing-resistant authentication, those users cannot complete the MFA challenge in certain scenarios:
- When signing in to a cloud app on a corporate Intune-managed shared PC or a personal (BYOD) PC
- When enrolling a personal device in Intune using the Company Portal
In some cases, users are not offered the option to authenticate using their passkey on their smartphone during MFA. Instead, they are prompted to use a security key, which they do not have.
 |
During the authentication, the MFA prompt "Verify your identity" includes only one option: "Face, fingerprint, PIN or security key" and does not include a link to "Sign in another way." |
 |
After selecting Face, fingerprint, PIN or security key, user gets prompted with a message "Insert your security key into the USB port" even though a security key was never added by this user to their Authentication Options for MFA. |
|
When user clicks on Cancel, "We couldn't sign you in" message is displayed. Clicking "Sign in another way" link brings back "Verify your identity" message and the MFA process is stuck in a loop. |
To use a phone‑based passkey when signing in on a PC, the system initiates a cross‑device web authentication flow. This process requires Bluetooth to be enabled and functioning on both the PC and the phone, as it relies on Bluetooth to confirm that the phone is physically nearby—a key security requirement.
If this proximity validation cannot be completed, the passkey stored on the phone remains valid, but it cannot be discovered or used in that authentication session. As a result, the MFA prompt does not present it as an available option. Instead, the system defaults to the generic security key (FIDO2) prompt—even if the user has never registered a physical security key in their account.
If Bluetooth cannot be enabled on both devices, the only option for the user is to procure and register a security key.