Synced Passkey

Passkeys are the most secure method of authentication. There are two different types of passkeys: a synced passkey (automatically syncs across your devices) and a device‑bound passkey (tied to a single device). This article focuses on synced passkeys.

Passkeys are the most secure method of authentication. There are two different types of passkeys:

A synced passkey for a Microsoft work or school account is a phishing‑resistant sign‑in credential (based on FIDO2) that is securely saved in a cloud‑backed credential manager—such as iCloud Keychain, or Google Password Manager—and automatically syncs across your devices, so you can use it even if you change or lose a device.

In contrast, a device‑bound passkey (including those stored locally in Microsoft Authenticator or on a security key) is tied to a single device or authenticator instance and does not sync, meaning it must be re‑registered on each new device.

Both use biometrics or a PIN to prove your identity and are resistant to phishing, but synced passkeys prioritize convenience and portability across devices (most suitable for regular users), while device‑bound passkeys provide tighter control by keeping the credential confined to one device (recommended for high-profile users and administrators with access to sensitive data). 

This article focuses on synced passkeys.

To create a synced passkey for your Microsoft work or school account, follow these steps on the device where you'd like to create a passkey:

1. Sign in to your work or school account Security info at mysignins.microsoft.com/security-info
2. Choose Add sign-in method.
3. Select Passkey to generate a synced passkey that can be stored on another device or a password manager, see below.
   NOTE: Do not select "Passkey in Microsoft Authenticator" because this option required that you install Microsoft Authenticator app on your mobile device.
4. Follow the instructions on your device.
5. Select Continue or Create to store the passkey in the suggested location or select Change or Save another way to see alternative save location options. 
6. Complete the passkey save process at the chosen location. The process varies based on your selection and might require you to provide an unlock gesture, such as facial recognition, fingerprint, or PIN.

Passkey saving options include:

• iPhone, iPad or Android device (DEFAULT): The passkey is saved to a phone or tablet. This option requires you to scan a QR code using your mobile device's camera (tap Use passkey when shown) or the QR scan button  in Microsoft Authenticator (or similar) installed on your phone or tablet. Saving passkeys to a phone or tablet may also require Bluetooth pairing for verification.
• Password Manager: You can save a passkey to Microsoft Password Manager or another password manager service, like iCloud Keychain, Google Password Manager, or Bitwarden.
• Security key: The passkey is saved to a physical security key.
• Windows device / Windows Hello: The passkey is saved locally to your Windows device using Windows Hello. Since all University Intune-managed Windows devices are configured to use Windows Hello by default, this passkey already exists for you. If you try to save your new passkey there, you will see this error: