A passkey is a modern, phishing-resistant credential that replaces traditional passwords. Passkeys are built on public key cryptography and can be stored on devices or security keys, enabling users to authenticate securely and seamlessly across applications and devices.
ADSelfService Plus supports FIDO2-based passkeys, following the open authentication standard developed by the FIDO Alliance. With WebAuthn integration, ADSelfService Plus enables passkey-based authentication for secure access to network resources.
ADSelfService Plus currently provides FIDO2 passkey authentication for the following:
Note: FIDO2 passkeys currently do not support password resets and account unlocks via the ADSelfService Plus mobile app.
The following information on this page will assist you in understanding and setting up FIDO2 passkeys with ADSelfService Plus:
FIDO2 passkeys let users authenticate with two types of authenticators:
These include portable FIDO2-compliant hardware security keys like YubiKey and Titan Security Key, that are removable and compatible with multiple platforms. These authenticators can be connected to a device via USB, NFC, or Bluetooth for secure authentication.
Note: Unlike device passkeys, credentials stored on hardware security keys remain on the hardware and are not synced across devices.
These authenticators are built into the user’s device and managed by the operating system. They verify the user’s identity using biometric or PIN-based credentials that are securely stored on the device. Examples include Windows Hello, Android biometrics, and Apple Touch ID or Face ID.
Device passkeys can be either device-bound or synced across multiple devices, depending on how the vendor has implemented it.
Mobile-based synced passkeys also support Cross-Device Authentication (CDA), that enables users to verify their identity on one device while accessing resources on another. For example, users can use their smartphone’s built-in authenticators, such as Android biometrics or Apple Face ID, to log into ADSelfService Plus on their laptop by scanning a QR code and establishing a Bluetooth connection.
Important note: Please finalize your Access URL and Relying Party ID before enabling FIDO2 Passkeys.
If your organization uses—or plans to use—load-balanced, highly available, or internet-facing deployments of ADSelfService Plus, it is essential to configure a stable Access URL. This is crucial because the Relying Party ID (RP ID) for FIDO2 Passkeys relies on the same server information as the access URL. Changing the Access URL later will also change the RP ID, resulting in the loss of enrollment data and the disenrollment of all users.
For instance, if the Access URL is https://selfservice.example.com, only the following RP IDs are valid:
Security caution: Specifying a parent domain in the RP ID allows FIDO2 passkeys to be used across the domain's subdomain websites as well. For instance, if example.com is chosen as the RP ID, then FIDO2 passkeys registered on site1.example.com can also be used on site2.example.com or site3.example.com. To allow FIDO2 Passkeys enrolled with ADSelfService Plus to authenticate only with the product, you can define the authentication scope by specifying the access URL used in ADSelfService Plus as the RP ID.
Note: Enabling the Deny syncable passkeys checkbox will prevent users from enrolling passkeys that rely on cloud syncing, such as Apple devices with iCloud accounts.
Required: The user will always be required to verify their identity using the built-in verification mechanism configured on the security key after inserting it.
Preferred: If user verification, such as a PIN or biometrics, is configured on the security key, users will be prompted to verify their identity when the authenticator is inserted. If no verification method is set, users will not be asked for any identification.
Discouraged: If your organization uses Universal 2nd Factor-based security keys that do not support user verification, admins can select the Discouraged option. Users will not be asked for verification upon inserting their FIDO2 passkey. However, some security keys mandate verification on supported devices even when it is Discouraged. Please refer to the documentation received with your security key to ascertain this.
The OS and browsers that support each of the following types of passkeys are as follows:
Note: Please make sure that you are using the latest versions of the browsers. If you are using an outdated browser, you might not be able to create or use passkeys while in incognito or private modes across major browsers and operating systems.
Security keys can be used across a wide range of operating systems and browsers, provided both the OS and browser meet the necessary requirements for WebAuthn support.
Windows | macOS | Linux | Android | iOS | |
---|---|---|---|---|---|
Google Chrome (67+) | Yes | Yes | Yes | Yes | Yes |
Edge (67+) | Yes | Yes | Yes | Yes | Yes |
Safari (13+) | N/A | Yes | N/A | N/A | Yes |
Firefox (60+) | Yes | Yes | Yes | Yes | Yes |
Device passkeys are supported across a wide range of browsers and operating systems, with compatibility varying based on how the passkeys are accessed:
Windows 10+ (Windows Hello) | macOS 11+ (Touch ID) | Android 7+ (Android biometrics) | iOS 14.5+ (Face ID) | |
---|---|---|---|---|
Google Chrome | Yes ( 73+) | Yes (70+) | Yes (95+) | Yes (95+) |
Edge | Yes (79+) | Yes | Yes | Yes (95+) |
Safari | N/A | Yes (14+) | N/A | Yes (14.5+) |
Firefox | Yes (66+) | Yes | Yes (68+) | Yes (38+) |
Windows 10+ (Windows Hello) | macOS 13+ (Touch ID) | Android 9+ (Android biometrics) | iOS 16.5+ (Face ID) | |
---|---|---|---|---|
Google Chrome | No | Yes (70+) | Yes | Yes |
Edge | No | No | Yes | Yes |
Safari | N/A | Yes (14+) | N/A | Yes |
Firefox | No | Yes | Yes | Yes |
CDA client: The CDA client in a Cross-Device Authentication flow is the device on which ADSelfService Plus is being accessed.
CDA authenticator: The CDA authenticator in a cross-device authentication flow is the device used to verify their identity.
For example, you can use your phone as a cross-device authenticator to sign in to ADSelfService Plus from your laptop. In this case, the laptop is the CDA client, and the phone acts as the CDA authenticator.
The supported CDA clients and authenticators are as follows:
Windows | macOS | Android | iOS | |||||
---|---|---|---|---|---|---|---|---|
CDA Client support | CDA Authenticator support | CDA Client support | CDA Authenticator support | CDA Client support | CDA Authenticator support | CDA Client support | CDA Authenticator support | |
Google Chrome | Yes (108+) | No | Yes (70+) | No | Yes | Yes | Yes | Yes |
Edge | Yes (108+) | No | Yes | No | Yes | Yes | Yes | Yes |
Safari | N/A | N/A | Yes (14+) | No | N/A | N/A | Yes | Yes |
Firefox | No | No | Yes | No | Yes | Yes | Yes | Yes |
Endpoint MFA strengthens login security across user endpoints by enabling phishing-resistant FIDO2 passkeys. Before you enforce FIDO2-based machine logins, refer to the table below to understand which passkey methods are supported across different operating systems and machine login scenarios. For more details on MFA for endpoints, click here.
OS | Connection Mode (MFA) | Authentication Scenario | Security Keys | Windows Hello | Mobile Phone |
---|---|---|---|---|---|
Windows | Online | Login, Unlock, UAC | ![]() |
![]() |
![]() |
RDP Server, RDP Client | ![]() |
![]() |
![]() |
||
Offline | Login, Unlock, UAC | ![]() |
![]() |
![]() |
|
RDP Server | ![]() |
![]() |
![]() |
||
macOS | Online | Login | ![]() |
![]() |
![]() |
Offline | Login | ![]() |
![]() |
![]() |
|
Linux | Online | Login | ![]() |
![]() |
![]() |
For login, unlock, and UAC scenarios, users can use a security key or their mobile phone. Mobile phones allow users to scan a QR code to open a secure link on their device and authenticate using built-in passkeys or security keys—no direct device-to-device connection (like CDA) is required. Note that mobile phones cannot be used for offline MFA.
For RDP sessions, FIDO2 authentication can be enabled on supported Windows clients and servers using Windows’ native WebAuthn redirection. On systems that do not support this feature—such as Windows versions older than 10 version 1809—you will need to use third-party USB-over-IP tools like IncentivesPro USB Redirector RDP Edition or Eltima USB Network Gate.
During enrollment, users can choose their preferred passkey type based on the options provided, such as security keys or device passkeys.
Security keys: The user will be required to authenticate using the security key’s built-in mechanism. For example, if using a YubiKey, they might need to enter a PIN or scan their fingerprint using the sensor. Security keys can be enrolled through the ADSelfService Plus web portal from a device that supports USB, near-field communication (NFC), or Bluetooth Low Energy (BLE) connections. A single security key can be enrolled as a passkey for multiple users, and multiple security keys can be enrolled for a single user account.
Device passkeys: The user will complete enrollment by verifying their identity using their device’s built-in authenticator, such as Face ID, Touch ID, or PIN.
If a user wishes to enroll a different smartphone or tablet, they can scan the QR code displayed on the screen to start the authentication process via Bluetooth. Admins should ensure that users' devices support CDA for a smooth enrollment process. A list of supported devices is available here.
You can find the step-by-step enrollment process for users here.
Once enrolled, users will verify their identity using their passkeys when signing in.
Security keys: Users should verify the security key on their device by connecting via USB, NFC, or BLE. Once verified, the key can be used on other devices by repeating the process. This ensures secure, consistent access across all devices.
Device passkeys: The device's built-in authenticators can be used for verification on the enrolled device. If the passkey is synced across multiple devices, it can also be used on those devices.
Note: The FIDO2 Passkeys Report will only show the enrollment on the specific device that was enrolled, and not on its synced devices.
If a user needs to authenticate using a different smartphone or tablet, they can scan the QR code displayed on the screen to complete verification via Bluetooth.
You can find the detailed verification steps here.
Copyright © 2025, ZOHO Corp. All Rights Reserved.