Microsoft Authenticator - Device-bound Passkey

Summary

A device‑bound passkey stored locally in Microsoft Authenticator app on your mobile device is tied to a single device or authenticator instance and does not sync, meaning it must be re‑registered on each new device. It uses biometrics or a PIN to prove your identity and is resistant to phishing while providing tighter control than synced passkey by keeping the credential confined to one device.

Body

A device‑bound passkey stored locally in Microsoft Authenticator app on your mobile device is tied to a single device or authenticator instance and does not sync, meaning it must be re‑registered on each new device. It uses biometrics or a PIN to prove your identity and is resistant to phishing while providing tighter control than synced passkey by keeping the credential confined to one device. 

Setup

To use a passkey stored in MS Authenticator app on either a University-owned or a personal smartphone or tablet used for work or school you will need to:

  • ensure your mobile device is running Android 14 or newer, or iOS/iPad OS 17 or newer and has Bluetooth enabled
  • install MS Authenticator app on your mobile device and link it to your University account, if not already installed and linked
  • configure MS Authenticator as a service for passkeys 
  • generate the passkey for your UWin Account

You will need to be at your work computer and have your mobile device with you to set up this option. Your mobile device does not have to be enrolled in Intune.

Step 1: Install Microsoft Authenticator on your phone

If this app is not yet installed on your mobile device, follow instructions in this KB article: Microsoft Authenticator - Getting started

Step 2: Complete passkey setup on your phone

First, you have to update your mobile device OS settings to allow Microsoft Authenticator to use passkeys. Note that these instructions are for the latest versions of mobile OS and that older version may not fully support passkeys.

Android

  1. Open your device OS Settings and go to Passwords, passkeys & accounts
  2. Select the Work tab
  3. Turn on Authenticator as a passkey provider

Optional but recommended on University devices:

  • Make Authenticator to be the Preferred service for passkeys
  • Turn off any other options in Additional services, for example Google.

 

 

  

iPhone/iPad

  1. Open your device OS Settings
  2. Tap General
  3. Tap AutoFill & Passwords
  4. Turn ONAutoFill Passwords and Passkeys
  5. Under AUTOFILL FROM, make sure Microsoft Authenticator is selected
  6. Tap Go to Authenticator and proceed with Microsoft Authenticator and follow the instructions to generate a passkey below

Optional but recommended on University devices:

  • deselect iCloud Keychain to have only Authenticator used for work passkeys

Next, you have to generate a passkey for your UWin Account in your Microsoft Authenticator app.

  1. Tap Authenticator app icon to launch it. If you are using personal Android device, see a note below.
  2. Tap your University of Windsor account entry to display its full profile
  3. Select Create a passkey
  4. Follow instructions on your screen.

Personal device running Android: Swipe up on your home screen and select Work tab to launch your University-managed version of Microsoft Authenticator app. If this is the first time you are using the work version of Microsoft Authenticator, tap Allow > Accept > Continue > Setup work or school account. Follow instructions on the screen to add your University of Windsor account. You will then be able to remove it from the personal version of Microsoft Authenticator app.

✅ Your phone is now registered as a passkey.

Using Passkey in MS Authenticator

To sign-in using a passkey that you generated and stored in the MS Authenticator app on your device:

  1. Select iPhone, iPad or Android device or Use phone or tablet when prompted to choose a passkey. This will display a QR code on your screen.
  2. On your mobile device, launch Microsoft Authenticator app and tap on University of Windsor.
  3. Tap on Passkey.
  4. Tap on the blue circular icon in the bottom right corner.
  5. Scan the QR code from your computer screen.

NOTE: Bluetooth must be enabled on both devices when using a passkey across devices (for example, signing in on your computer using your phone) because it allows the devices to confirm they are physically close to each other. This proximity check is an important security measure that helps prevent remote attackers from tricking you into approving a sign‑in request from another location. Bluetooth does not transmit your passkey or any sensitive information; it simply ensures that the authentication request is happening locally between your devices, while the actual sign‑in process remains protected using secure encryption and your device’s built‑in security (such as biometrics or a PIN).

Details

Details

Article ID: 151748
Created
Wed 5/27/26 4:19 PM
Modified
Mon 6/8/26 4:04 PM

Related Articles

Related Articles (1)

Microsoft Authenticator - Getting started
Microsoft Authenticator is a free mobile app from Microsoft for iPhone, iPad, and Android devices that helps protect your UWin Account (Microsoft work/school account). Passwords alone are no longer enough to keep accounts secure. Microsoft Authenticator adds an extra layer of protection that helps prevent unauthorized access, even if someone else knows your password.