What is a passkey?

A passkey is a modern, phishing-resistant credential that replaces traditional passwords. Passkeys are built on public key cryptography and can be stored on devices or security keys, enabling users to authenticate securely and seamlessly across applications and devices.

ADSelfService Plus supports FIDO2-based passkeys, following the open authentication standard developed by the FIDO Alliance. With WebAuthn integration, ADSelfService Plus enables passkey-based authentication for secure access to network resources.

ADSelfService Plus currently provides FIDO2 passkey authentication for the following:

• ADSelfService Plus portal logins
• Cloud Application logins
• Machine logins (Windows, macOS, and Linux)
• Outlook Web Access (OWA)
• Password resets or account unlocks from the ADSelfService Plus portal

Note: FIDO2 passkeys currently do not support password resets and account unlocks via the ADSelfService Plus mobile app.

The following information on this page will assist you in understanding and setting up FIDO2 passkeys with ADSelfService Plus:

• Types of FIDO2 passkeys
• Security keys
• Device passkeys
• Device-bound passkeys
• Synced passkeys
• Configuring FIDO Authenticators
• Prerequisites
• Configuration steps
• Supported devices
• Security keys
• Device passkeys
• Supported FIDO2 passkeys for machine login scenarios
• Enrolling FIDO2 passkeys
• Verification using FIDO2 passkeys

Types of FIDO2 passkeys

FIDO2 passkeys let users authenticate with two types of authenticators:

• Security Keys
• Device Passkeys

Security Keys

These include portable FIDO2-compliant hardware security keys like YubiKey and Titan Security Key, that are removable and compatible with multiple platforms. These authenticators can be connected to a device via USB, NFC, or Bluetooth for secure authentication.

Note: Unlike device passkeys, credentials stored on hardware security keys remain on the hardware and are not synced across devices.

Device Passkeys

These authenticators are built into the user’s device and managed by the operating system. They verify the user’s identity using biometric or PIN-based credentials that are securely stored on the device. Examples include Windows Hello, Android biometrics, and Apple Touch ID or Face ID.

Device passkeys can be either device-bound or synced across multiple devices, depending on how the vendor has implemented it.

• Device-bound passkeys: These are passkeys that are stored only on the device and not synced to cloud services. This means users should enroll separately on each device they wish to use.
• Synced passkeys: These are passkeys securely stored in the cloud and synchronized across a user’s devices through cloud services such as iCloud Keychain or Google Password Manager. This synchronization allows seamless access to ADSelfService Plus without the need to reenroll each device. However, user verification data, such as PINs and biometrics (including Face ID and Touch ID), remain device-specific and should be set up individually on each device. For example, if John uses Touch ID on his MacBook and then buys a new iPhone, he doesn’t need to reenroll the iPhone in ADSelfService Plus, but should set up Face ID on the iPhone to authenticate.

Mobile-based synced passkeys also support Cross-Device Authentication (CDA), that enables users to verify their identity on one device while accessing resources on another. For example, users can use their smartphone’s built-in authenticators, such as Android biometrics or Apple Face ID, to log into ADSelfService Plus on their laptop by scanning a QR code and establishing a Bluetooth connection.

Configuring the FIDO2 Passkey authenticator

Prerequisites

• Users should have WebAuthn-supported devices to use this authenticator.
• ADSelfService Plus as well as the sites FIDO2 passkeys authenticate to, should have HTTPS enabled.
• The access URL should be configured with a valid domain name and not an IP address.

Important note: Please finalize your Access URL and Relying Party ID before enabling FIDO2 Passkeys.

If your organization uses—or plans to use—load-balanced, highly available, or internet-facing deployments of ADSelfService Plus, it is essential to configure a stable Access URL. This is crucial because the Relying Party ID (RP ID) for FIDO2 Passkeys relies on the same server information as the access URL. Changing the Access URL later will also change the RP ID, resulting in the loss of enrollment data and the disenrollment of all users.

• ADSelfService Plus should be accessed using a secure connection. To ensure this:
• A valid certificate should be used in the product. Please refer to this guide to learn more about generating and deploying certificates in ADSelfService Plus.
• The Common Name (CN) or Subject Alternative Name (SAN) listed on the certificate during generation should be the same as the the hostname used in the ADSelfService Plus Access URL.
• If the certificate has been obtained from your organization's internal Certificate Authority (CA), then the CA certificate should be trusted in the users' devices. Click here to learn how to distribute the certificates to users' machines.

Configuration steps

1. Log into the ADSelfService Plus admin portal and navigate to Configuration > Self-Service > Multi-factor Authentication > FIDO2 Passkeys.



2. The Relying Party Identifier should either be the domain name or effective domain name (server name or the parent domain of the server name) used in the Access URL.

For instance, if the Access URL is https://selfservice.example.com, only the following RP IDs are valid:

• selfservice.example.com
• example.com

Security caution: Specifying a parent domain in the RP ID allows FIDO2 passkeys to be used across the domain's subdomain websites as well. For instance, if example.com is chosen as the RP ID, then FIDO2 passkeys registered on site1.example.com can also be used on site2.example.com or site3.example.com. To allow FIDO2 Passkeys enrolled with ADSelfService Plus to authenticate only with the product, you can define the authentication scope by specifying the access URL used in ADSelfService Plus as the RP ID.

3. A Username Pattern helps prevent ambiguity by associating the user account with distinct attribute values in AD. It is an easily memorable and distinct username made in this pattern for the user account that will be registered with the FIDO2 passkey.
4. Open Advanced Settings and use the Allowed Passkey Types dropdown to configure the types of FIDO2 passkeys your users can enroll in.
• Select Security Keys to permit users in your organization to enroll for passkeys like YubiKeys or Google Titan keys.
• Select Device Passkeys to permit users in your organization to enroll for device-based passkeys that use the machine’s or phone’s built-in authentication methods, such as biometrics like fingerprint or facial recognition.
5. Enable the Deny syncable passkeys checkbox to ensure passkeys are tied to specific organizational devices and not synced across multiple devices through cloud services. This is ideal for organizations with security requirements to allow only device-bound passkeys.

Note: Enabling the Deny syncable passkeys checkbox will prevent users from enrolling passkeys that rely on cloud syncing, such as Apple devices with iCloud accounts.

6. From the drop-down menu, select whether User Verification is Required, Preferred, or Discouraged for security keys. User verification, such as a PIN or additional biometrics, provides an extra layer of security, ensuring that the security key is in the possession of authorized individuals. This is important because misplaced keys could be exploited by unauthorized users who find them.

Required: The user will always be required to verify their identity using the built-in verification mechanism configured on the security key after inserting it.

Preferred: If user verification, such as a PIN or biometrics, is configured on the security key, users will be prompted to verify their identity when the authenticator is inserted. If no verification method is set, users will not be asked for any identification.

Discouraged: If your organization uses Universal 2nd Factor-based security keys that do not support user verification, admins can select the Discouraged option. Users will not be asked for verification upon inserting their FIDO2 passkey. However, some security keys mandate verification on supported devices even when it is Discouraged. Please refer to the documentation received with your security key to ascertain this.

7. Specify the maximum number of passkeys each user can add in the No. of passkeys allowed per user field. Users can enroll up to five FIDO2 passkeys.
8. Click Save.

Supported devices

The OS and browsers that support each of the following types of passkeys are as follows:

Note: Please make sure that you are using the latest versions of the browsers. If you are using an outdated browser, you might not be able to create or use passkeys while in incognito or private modes across major browsers and operating systems.

Security keys

Security keys can be used across a wide range of operating systems and browsers, provided both the OS and browser meet the necessary requirements for WebAuthn support.

	Windows	macOS	Linux	Android	iOS
Google Chrome (67+)	Yes	Yes	Yes	Yes	Yes
Edge (67+)	Yes	Yes	Yes	Yes	Yes
Safari (13+)	N/A	Yes	N/A	N/A	Yes
Firefox (60+)	Yes	Yes	Yes	Yes	Yes

*The numbers within parenthesis indicate the minimum supported browser version required.

Device passkeys

Device passkeys are supported across a wide range of browsers and operating systems, with compatibility varying based on how the passkeys are accessed:

1. Device-bound passkeys:

	Windows 10+ (Windows Hello)	macOS 11+ (Touch ID)	Android 7+ (Android biometrics)	iOS 14.5+ (Face ID)
Google Chrome	Yes ( 73+)	Yes (70+)	Yes (95+)	Yes (95+)
Edge	Yes (79+)	Yes	Yes	Yes (95+)
Safari	N/A	Yes (14+)	N/A	Yes (14.5+)
Firefox	Yes (66+)	Yes	Yes (68+)	Yes (38+)

*The numbers within parenthesis indicate the minimum supported browser version required.

2. Synced passkeys

	Windows 10+ (Windows Hello)	macOS 13+ (Touch ID)	Android 9+ (Android biometrics)	iOS 16.5+ (Face ID)
Google Chrome	No	Yes (70+)	Yes	Yes
Edge	No	No	Yes	Yes
Safari	N/A	Yes (14+)	N/A	Yes
Firefox	No	Yes	Yes	Yes

*The numbers within parenthesis indicate the minimum supported browser version required.

3. Cross-Device Authentication

CDA client: The CDA client in a Cross-Device Authentication flow is the device on which ADSelfService Plus is being accessed.

CDA authenticator: The CDA authenticator in a cross-device authentication flow is the device used to verify their identity.

For example, you can use your phone as a cross-device authenticator to sign in to ADSelfService Plus from your laptop. In this case, the laptop is the CDA client, and the phone acts as the CDA authenticator.

The supported CDA clients and authenticators are as follows:

Supported FIDO2 passkeys for machine login scenarios

Endpoint MFA strengthens login security across user endpoints by enabling phishing-resistant FIDO2 passkeys. Before you enforce FIDO2-based machine logins, refer to the table below to understand which passkey methods are supported across different operating systems and machine login scenarios. For more details on MFA for endpoints, click here.

For login, unlock, and UAC scenarios, users can use a security key or their mobile phone. Mobile phones allow users to scan a QR code to open a secure link on their device and authenticate using built-in passkeys or security keys—no direct device-to-device connection (like CDA) is required. Note that mobile phones cannot be used for offline MFA.

For RDP sessions, FIDO2 authentication can be enabled on supported Windows clients and servers using Windows’ native WebAuthn redirection. On systems that do not support this feature—such as Windows versions older than 10 version 1809—you will need to use third-party USB-over-IP tools like IncentivesPro USB Redirector RDP Edition or Eltima USB Network Gate.

Supported client and server versions for Windows Hello:

• Client OS: Windows 10 version 1809 or later, or Windows 11
• Server OS: Windows Server version 1809, 2019, 2022, or 2025 and later

Enrolling FIDO2 passkeys

During enrollment, users can choose their preferred passkey type based on the options provided, such as security keys or device passkeys.

Security keys: The user will be required to authenticate using the security key’s built-in mechanism. For example, if using a YubiKey, they might need to enter a PIN or scan their fingerprint using the sensor. Security keys can be enrolled through the ADSelfService Plus web portal from a device that supports USB, near-field communication (NFC), or Bluetooth Low Energy (BLE) connections. A single security key can be enrolled as a passkey for multiple users, and multiple security keys can be enrolled for a single user account.

Device passkeys: The user will complete enrollment by verifying their identity using their device’s built-in authenticator, such as Face ID, Touch ID, or PIN.

• Device-bound passkeys: A device-bound passkey is stored only on the device where it was created. If users want to use the passkey on additional devices, they should enroll a new passkey on each device that supports device-bound passkeys.
• Synced passkeys: A synced passkey is stored in the cloud and automatically synchronized across the user's devices that are linked to the same account, using services like iCloud Keychain or Google Password Manager. Once synced, users do not need to enroll the passkey again on other devices that support synced passkeys.

If a user wishes to enroll a different smartphone or tablet, they can scan the QR code displayed on the screen to start the authentication process via Bluetooth. Admins should ensure that users' devices support CDA for a smooth enrollment process. A list of supported devices is available here.

You can find the step-by-step enrollment process for users here.

Verification using FIDO2 passkeys

Once enrolled, users will verify their identity using their passkeys when signing in.

Security keys: Users should verify the security key on their device by connecting via USB, NFC, or BLE. Once verified, the key can be used on other devices by repeating the process. This ensures secure, consistent access across all devices.

Device passkeys: The device's built-in authenticators can be used for verification on the enrolled device. If the passkey is synced across multiple devices, it can also be used on those devices.

• Device-bound passkeys: Users should verify their identity on the same device where the passkey was enrolled. This could involve entering a PIN or using biometric authentication. If successful, the system will recognize the passkey and allow the user to login.
• Synced passkeys: When the passkey is synced across multiple devices linked to the same account, users can use it for MFA on any of those devices. The user can verify their identity using a built-in authenticator, and authentication is completed using the synced passkey, enabling a seamless login experience.

Note: The FIDO2 Passkeys Report will only show the enrollment on the specific device that was enrolled, and not on its synced devices.

If a user needs to authenticate using a different smartphone or tablet, they can scan the QR code displayed on the screen to complete verification via Bluetooth.

You can find the detailed verification steps here.