What is a passkey?

A passkey is a modern, phishing-resistant credential that replaces traditional passwords. Passkeys are built on public key cryptography and can be stored on devices or security keys, enabling users to authenticate securely and seamlessly across applications and devices.

ADSelfService Plus supports FIDO2-based passkeys, following the open authentication standard developed by the FIDO Alliance. With WebAuthn integration, ADSelfService Plus enables passkey-based authentication for secure access to network resources.

ADSelfService Plus currently provides FIDO2 passkey authentication for the following:

Note: FIDO2 passkeys currently do not support password resets and account unlocks via the ADSelfService Plus mobile app.

The following information on this page will assist you in understanding and setting up FIDO2 passkeys with ADSelfService Plus:

Types of FIDO2 passkeys

FIDO2 passkeys let users authenticate with two types of authenticators:

Security Keys

These include portable FIDO2-compliant hardware security keys like YubiKey and Titan Security Key, that are removable and compatible with multiple platforms. These authenticators can be connected to a device via USB, NFC, or Bluetooth for secure authentication.

Note: Unlike device passkeys, credentials stored on hardware security keys remain on the hardware and are not synced across devices.

Device Passkeys

These authenticators are built into the user’s device and managed by the operating system. They verify the user’s identity using biometric or PIN-based credentials that are securely stored on the device. Examples include Windows Hello, Android biometrics, and Apple Touch ID or Face ID.

Device passkeys can be either device-bound or synced across multiple devices, depending on how the vendor has implemented it.

Configuring the FIDO2 Passkey authenticator

Prerequisites

Configuration steps

  1. Log into the ADSelfService Plus admin portal and navigate to Configuration > Self-Service > Multi-factor Authentication > FIDO2 Passkeys.
  2. Modify Configuration

  3. The Relying Party Identifier should either be the domain name or effective domain name (server name or the parent domain of the server name) used in the Access URL.
  4. For instance, if the Access URL is https://selfservice.example.com, only the following RP IDs are valid:

    • selfservice.example.com
    • example.com

    Security caution: Specifying a parent domain in the RP ID allows FIDO2 passkeys to be used across the domain's subdomain websites as well. For instance, if example.com is chosen as the RP ID, then FIDO2 passkeys registered on site1.example.com can also be used on site2.example.com or site3.example.com. To allow FIDO2 Passkeys enrolled with ADSelfService Plus to authenticate only with the product, you can define the authentication scope by specifying the access URL used in ADSelfService Plus as the RP ID.

  5. A Username Pattern helps prevent ambiguity by associating the user account with distinct attribute values in AD. It is an easily memorable and distinct username made in this pattern for the user account that will be registered with the FIDO2 passkey.
  6. Open Advanced Settings and use the Allowed Passkey Types dropdown to configure the types of FIDO2 passkeys your users can enroll in.
    • Select Security Keys to permit users in your organization to enroll for passkeys like YubiKeys or Google Titan keys.
    • Select Device Passkeys to permit users in your organization to enroll for device-based passkeys that use the machine’s or phone’s built-in authentication methods, such as biometrics like fingerprint or facial recognition.
  7. Enable the Deny syncable passkeys checkbox to ensure passkeys are tied to specific organizational devices and not synced across multiple devices through cloud services. This is ideal for organizations with security requirements to allow only device-bound passkeys.
  8. Note: Enabling the Deny syncable passkeys checkbox will prevent users from enrolling passkeys that rely on cloud syncing, such as Apple devices with iCloud accounts.

  9. From the drop-down menu, select whether User Verification is Required, Preferred, or Discouraged for security keys. User verification, such as a PIN or additional biometrics, provides an extra layer of security, ensuring that the security key is in the possession of authorized individuals. This is important because misplaced keys could be exploited by unauthorized users who find them.
  10. Required: The user will always be required to verify their identity using the built-in verification mechanism configured on the security key after inserting it.

    Preferred: If user verification, such as a PIN or biometrics, is configured on the security key, users will be prompted to verify their identity when the authenticator is inserted. If no verification method is set, users will not be asked for any identification.

    Discouraged: If your organization uses Universal 2nd Factor-based security keys that do not support user verification, admins can select the Discouraged option. Users will not be asked for verification upon inserting their FIDO2 passkey. However, some security keys mandate verification on supported devices even when it is Discouraged. Please refer to the documentation received with your security key to ascertain this.

  11. Specify the maximum number of passkeys each user can add in the No. of passkeys allowed per user field. Users can enroll up to five FIDO2 passkeys.
  12. Click Save.

Supported devices

The OS and browsers that support each of the following types of passkeys are as follows:

Note: Please make sure that you are using the latest versions of the browsers. If you are using an outdated browser, you might not be able to create or use passkeys while in incognito or private modes across major browsers and operating systems.

Security keys

Security keys can be used across a wide range of operating systems and browsers, provided both the OS and browser meet the necessary requirements for WebAuthn support.

  Windows macOS Linux Android iOS
Google Chrome (67+) Yes Yes Yes Yes Yes
Edge (67+) Yes Yes Yes Yes Yes
Safari (13+) N/A Yes N/A N/A Yes
Firefox (60+) Yes Yes Yes Yes Yes
*The numbers within parenthesis indicate the minimum supported browser version required.

Device passkeys

Device passkeys are supported across a wide range of browsers and operating systems, with compatibility varying based on how the passkeys are accessed:

1. Device-bound passkeys:

  Windows 10+ (Windows Hello) macOS 11+ (Touch ID) Android 7+ (Android biometrics) iOS 14.5+ (Face ID)
Google Chrome Yes ( 73+) Yes (70+) Yes (95+) Yes (95+)
Edge Yes (79+) Yes Yes Yes (95+)
Safari N/A Yes (14+) N/A Yes (14.5+)
Firefox Yes (66+) Yes Yes (68+) Yes (38+)
*The numbers within parenthesis indicate the minimum supported browser version required.

2. Synced passkeys

  Windows 10+ (Windows Hello) macOS 13+ (Touch ID) Android 9+ (Android biometrics) iOS 16.5+ (Face ID)
Google Chrome No Yes (70+) Yes Yes
Edge No No Yes Yes
Safari N/A Yes (14+) N/A Yes
Firefox No Yes Yes Yes
*The numbers within parenthesis indicate the minimum supported browser version required.

3. Cross-Device Authentication

CDA client: The CDA client in a Cross-Device Authentication flow is the device on which ADSelfService Plus is being accessed.

CDA authenticator: The CDA authenticator in a cross-device authentication flow is the device used to verify their identity.

For example, you can use your phone as a cross-device authenticator to sign in to ADSelfService Plus from your laptop. In this case, the laptop is the CDA client, and the phone acts as the CDA authenticator.

The supported CDA clients and authenticators are as follows:

  Windows macOS Android iOS
  CDA Client support CDA Authenticator support CDA Client support CDA Authenticator support CDA Client support CDA Authenticator support CDA Client support CDA Authenticator support
Google Chrome Yes (108+) No Yes (70+) No Yes Yes Yes Yes
Edge Yes (108+) No Yes No Yes Yes Yes Yes
Safari N/A N/A Yes (14+) No N/A N/A Yes Yes
Firefox No No Yes No Yes Yes Yes Yes

Supported FIDO2 passkeys for machine login scenarios

Endpoint MFA strengthens login security across user endpoints by enabling phishing-resistant FIDO2 passkeys. Before you enforce FIDO2-based machine logins, refer to the table below to understand which passkey methods are supported across different operating systems and machine login scenarios. For more details on MFA for endpoints, click here.

OS Connection Mode (MFA) Authentication Scenario Security Keys Windows Hello Mobile Phone
Windows Online Login, Unlock, UAC
RDP Server, RDP Client
Offline Login, Unlock, UAC
RDP Server
macOS Online Login
Offline Login
Linux Online Login

For login, unlock, and UAC scenarios, users can use a security key or their mobile phone. Mobile phones allow users to scan a QR code to open a secure link on their device and authenticate using built-in passkeys or security keys—no direct device-to-device connection (like CDA) is required. Note that mobile phones cannot be used for offline MFA.

For RDP sessions, FIDO2 authentication can be enabled on supported Windows clients and servers using Windows’ native WebAuthn redirection. On systems that do not support this feature—such as Windows versions older than 10 version 1809—you will need to use third-party USB-over-IP tools like IncentivesPro USB Redirector RDP Edition or Eltima USB Network Gate.

Supported client and server versions for Windows Hello:

Enrolling FIDO2 passkeys

During enrollment, users can choose their preferred passkey type based on the options provided, such as security keys or device passkeys.

Security keys: The user will be required to authenticate using the security key’s built-in mechanism. For example, if using a YubiKey, they might need to enter a PIN or scan their fingerprint using the sensor. Security keys can be enrolled through the ADSelfService Plus web portal from a device that supports USB, near-field communication (NFC), or Bluetooth Low Energy (BLE) connections. A single security key can be enrolled as a passkey for multiple users, and multiple security keys can be enrolled for a single user account.

Device passkeys: The user will complete enrollment by verifying their identity using their device’s built-in authenticator, such as Face ID, Touch ID, or PIN.

If a user wishes to enroll a different smartphone or tablet, they can scan the QR code displayed on the screen to start the authentication process via Bluetooth. Admins should ensure that users' devices support CDA for a smooth enrollment process. A list of supported devices is available here.

You can find the step-by-step enrollment process for users here.

Verification using FIDO2 passkeys

Once enrolled, users will verify their identity using their passkeys when signing in.

Security keys: Users should verify the security key on their device by connecting via USB, NFC, or BLE. Once verified, the key can be used on other devices by repeating the process. This ensures secure, consistent access across all devices.

Device passkeys: The device's built-in authenticators can be used for verification on the enrolled device. If the passkey is synced across multiple devices, it can also be used on those devices.

If a user needs to authenticate using a different smartphone or tablet, they can scan the QR code displayed on the screen to complete verification via Bluetooth.

You can find the detailed verification steps here.

Copyright © 2025, ZOHO Corp. All Rights Reserved.