In this post I will be discussing on how to configure Azure Active Directory account to go passwordless using FIDO2 security key. I recently received AllinPass FIDO2 Plus security key to explore the feature and to provide my views on it. I will be providing my inputs on the usage, benefits and the reason to use FIDO2 security keys. But before that lets understand the basics.

What is FIDO2 Security Key

FIDO stands for Fast Identity Online, the FIDO alliance helps to promote open authentication standards to reduce the user of passwords as form of authentication. FIDO2 is the latest standard.

FIDO2 security keys are hardware devices such as USB device which can be also use features as Bluetooth or NFC. With the usage of hardware device, you can authenticate the account login without entering the password.

Passworddless benefits
Passworddless benefits

Why do we need FIDO2 security key

FIDO2 security keys are one of the three passwordless authentication options which is used by Microsoft to login to Azure Active Directory connected devices. This can be devices which Azure AD or hybrid Azure AD joined. These are the three forms of passwordless authentication:

  • Windows Hello for Business
  • Microsoft Authenticator
  • FIDO2 security keys

In this post, we are just focusing upon FIDO2 security keys only.

Feitian AllinPass FIDO2 Plus security features

The FEITIAN AllinPass FIDO2 Plus security key is a combination of various functions such as Passwordless Authentication, Identification Card, and Physical Access into one device that fits into the standard wearable cardholder, and provides strong multi-factor authentication to eliminate account takeovers. This provides an extremely user-friendly and secure passwordless logon experience using biometrics. The device which I received is Feitian AllinPass FIDO2 Biometric Fingerprint Security Key K43.

Better connectivity

This device has a USB-C interface which can be used with Laptops, Desktops and Android devices. Device also has Bluetooth inbuild providing NFC communication.

Designed for Enterprise use

AllinPass FIDO2 Plus security key can be used for enterprise solution which has a formfactor like card. This can be used as security key as well as employee ID card.


Data stored in this security key is secured using algorithm which using CC EAL 6+ Secure Element embedded on the chip.

Enable Authentication method for FIDO2 Security key in Azure

By default FIDO2 Security Key authentication method is not enabled. You need to enable it first before configuring FIDO Security key.

Login to Azure Portal and navigate to Azure Active Directory > Security > Authentication methods.

Here you will see FIDO2 Security Key status showing as No (disabled state), click on FIDO2 Security Key.

Enable Authentication methods FIDO2 Security Key
Enable Authentication methods FIDO2 Security Key

This will open FIDO2 Security Key settings. Enable the setting and under Target you can either select All users or “Select users”. For planned rollout of FIDO2 security feature I would recommend going with pilot users first. For demonstration purpose in my lab, I selected “All users”, click Save.

FIDO2 Security Key settings
FIDO2 Security Key settings

Register FIDO2 security key in Azure Active Directory

We have successfully enabled FIDO2 security key authentication method. Now let’s open the URL My Sign-Ins and navigate to Security info.

Here you will be able to see all existing sign-in method for the account we used to login. Click on Add sign-in method to add another one.

Security info Add sign-in method
Security info Add sign-in method

Under Add a method popup, you will be able to see 3rd option available now ie. “Security key”, previously this option wasn’t available. Only after we enable the FIDO2 security key as authentication open we see it here apart from three other default options ie. Authenticator app, Email and phone.

Click on Security key and click Add.

Add a method Security key
Add a method Security key

You will get message:

To set up a security key, you need to sign in with two-factor authentication, click Next.

FIDO2 06

This will take you to Approve sign in request whichever method you have added previously, I authenticated it using Microsoft Authenticator app by simply clicking on Approve.

FIDO2 07

Next page for Security key asking me to choose the type of security key, this can be:

  • USB device
  • NFC device
FIDO2 08

I connected my Feitian Security key K43 using USB port and clicked on USB device.

FIDO2 09

This is the time when you need to plus in the security key to USB port. Click Next.

Next page will verify your identity with account with multiple options. Choose External security key or built-in sensor.

FIDO2 External security key
FIDO2 External security key

Click on ok when you see Security key setup which is requesting to use security key configuration.

Security key setup
Security key setup

Continue setup popup will show you message that credentials will be saved on security key which allows us to sign in without having to type username. Click OK.

FIDO2 12

This is one of the most important step where it ask you to touch the security key or enter the Security Key PIN if configured previously.

Touch your security key
Touch your security key

Once credentials are saved in Security key, next page will ask you to name it. It make sense to provide something obvious.

FIDO2 14

Next time when you login to Azure Portal, you can directly click on Sign-in options to login without providing username & password.

FIDO2 15

Once you click, you have multipole Sign-in options, click on Sign in with a security key.

Azure AD sign-in with Security Key
Azure AD sign-in with Security Key

You have options with multiple windows security, we are interested with security key, click on it.

Sign in with a security key
Sign in with a security key
FIDO2 18

We will be able to see all accounts which are saved in this security key, hence it can be used for any other account as well. Simply click on the account which we used to create the security key just now.

FIDO2 19

And here we go, we have successfully logged in to Azure Portal using Security key without even providing username or password.

Configure Security Key

Feitian Security key can be configured using 3 methods:

  1. Windows settings
  2. Feitian BioPass FIDO2 Manager
  3. Chrome Browser

Windows settings configuration for Security key

On windows 10 or Windows 11 device, click on Start > Settings > Accounts > Sign-in options > Security key and click on Manage.

Manage Security key
Manage Security key

Follow the prompt by touching the security key and setting up Security key PIN

Configure Security key using FIDO2 Manager

Download FIDO2 Manager for Windows or Mac.

For other Windows users
Download BioPass FIDO2 Manager from Microsoft Store (Windows 10) or from FEITIAN website.

For Mac users
Download BioPass FIDO2 Manager from Mac App Store or from FEITIAN website.

Launch BioPass FIDO2 Manager and click on Add Fingerprint.

BioPass FIDO2 Manager Add Fingerprint
BioPass FIDO2 Manager Add Fingerprint

Provide the PIN if previously setup or enter new Security PIN to configure.

Touch the fingerprint sensor
Touch the fingerprint sensor

It will ask you to touch the Fingerprint sensor.

FIDO2 23

It will prompt you to touch the sensor multiple times to register your fingerprints. Once done, you will be able to see Fingerprint 1 registered. You may register multiple fingerprint as well.

Same way you can do this for Chrome browser as well.

Important Links

Azure Active Directory passwordless sign-in – Microsoft Entra | Microsoft Docs

Browser support of FIDO2 passwordless authentication – Microsoft Entra | Microsoft Docs