ID-07: Passkey Adoption Coverage
Overview
This guide walks you through enabling passkeys in the Authentication methods policy and driving adoption so that a majority of your users have registered a passkey. Passkeys (device-bound FIDO2 credentials, including Microsoft Authenticator passkeys and security keys) are phishing-resistant by design. This control is a coverage measure: it is not about a single toggle, it is about getting real registration across your user base.
Control ID: ID-07 Category: Identity & Authentication Baseline Level: Level 2 (Enhanced Security) Severity: Medium License Required: None (passkey/FIDO2 support is included in all Microsoft Entra tiers, including Entra ID Free)
Why This Matters
Passkeys provide phishing-resistant authentication for all users. High adoption rates reduce organizational vulnerability to credential theft attacks. Microsoft and industry standards increasingly recommend passkeys as the primary authentication method.
Registering a method is not the same as everyone using it. A passkey is only protective for the users who actually have one, so the meaningful metric is the percentage of your population that has registered a passkey, not whether the feature is switched on. This control targets crossing the majority threshold and keeping a campaign running for the rest.
Expected State
- More than 50% of users have registered passkey methods
- Passkeys are enabled in Authentication Methods policy
- Registration campaign is active for remaining users
Prerequisites
| Requirement | Details |
|---|---|
| Role Required | Authentication Policy Administrator or Global Administrator (to enable methods and run a registration campaign) |
| License Required | None |
| Access | Microsoft Entra admin center (entra.microsoft.com) |
| Recommended Prerequisite | Complete the Authentication methods policy migration (see ID-06) so passkeys are managed centrally |
Before You Start
- Decide your passkey mix: Microsoft Authenticator passkeys (phones, no hardware cost) and/or FIDO2 security keys (for high-assurance or shared-device users).
- Have a Temporary Access Pass (TAP) path ready so users can bootstrap a passkey without an existing strong method.
- Know your denominator: how many users are in scope, so you can measure the >50% threshold.
Time Estimate
| Task | Duration |
|---|---|
| Enable passkey methods in the policy | 15 minutes |
| Configure and launch a registration campaign | 20 minutes |
| Communicate to users | 15 minutes |
| Reach majority adoption | Ongoing (weeks) |
| Total active work | ~1 hour plus an adoption period |
TrueConfig Remediation
This is a manual, coverage-based control. Users register passkeys themselves; there is no single switch that creates the credentials. TrueConfig measures and reports your passkey adoption percentage and whether passkeys are enabled in the policy, so you can track progress toward the majority threshold. Drive the remaining registration with the Microsoft Authenticator registration campaign and the steps below.
Step-by-Step Instructions
Step 1: Enable Passkeys in the Authentication Methods Policy
- Sign in to the Microsoft Entra admin center.
- Go to Protection > Authentication methods > Policies.
- To enable Microsoft Authenticator passkeys:
- Open Microsoft Authenticator, set Enable to Yes, target All users.
- In the settings, allow passkey (device-bound) sign-in.
- To enable FIDO2 security keys / passkeys:
- Open Passkey (FIDO2), set Enable to Yes, target All users.
- Set Allow self-service set up to Yes.
- Leave attestation/key restrictions off unless you require specific vendors.
- Save.
Step 2: Provide a Bootstrap Method (Temporary Access Pass)
Users need a way to register a passkey if they have no strong method yet.
- In Authentication methods > Policies, open Temporary Access Pass.
- Enable it and scope it to onboarding or help-desk-driven registration.
- Help desk issues a TAP; the user signs in and registers a passkey.
Step 3: Launch a Registration Campaign
Nudge users to register passkeys during sign-in.
- Go to Authentication methods > Registration campaign.
- Enable the nudge and set it to prompt for a passkey / Microsoft Authenticator.
- Target All users (or start with a pilot group), and set a reasonable snooze count.
- Save. Eligible users are prompted to register at sign-in.
Step 4: Communicate to Users
Send a short, plain message so the prompt is expected:
Subject: Set up a passkey for faster, safer sign-in
We are rolling out passkeys. A passkey lets you sign in with your face, fingerprint, or PIN instead of a password, and it cannot be phished. Next time you sign in you may be asked to set one up. It takes about a minute. If you need help, contact IT at [contact].
Step 5: Track Adoption
- Go to Identity > Monitoring & health > Usage & insights > Authentication methods.
- Review registration by method to see passkey coverage.
- Track the percentage of users with a registered passkey against your total in-scope population.
- Keep the registration campaign active until you are comfortably past the majority threshold, then keep it running for new joiners.
Verification Checklist
- Passkey (FIDO2) is enabled and targeted to all users in the policy
- Microsoft Authenticator passkeys are enabled
- A Temporary Access Pass path exists for bootstrapping registration
- A registration campaign is active and nudging users
- Users have been told what to expect
- Authentication methods usage report shows passkey registration climbing
- More than 50% of in-scope users have registered a passkey
Troubleshooting
"Users cannot register a passkey"
Confirm the passkey method is enabled and the user is in the target scope. Users with no existing strong method need a Temporary Access Pass to complete first-time registration.
"Adoption is stuck below 50%"
The registration campaign nudge is snoozable. Reduce the allowed snoozes, re-communicate the benefit, and consider a deadline. For resistant populations, help desk can issue a TAP and walk users through registration directly.
"Microsoft Authenticator passkey option is missing on the phone"
Ensure users are on a current Authenticator version and their account is targeted for passkey in the policy. Device-bound passkeys require a compatible, recent OS.
"We want the strongest possible assurance for some users"
Issue FIDO2 hardware security keys to that group. For administrators specifically, require phishing-resistant MFA via Conditional Access authentication strength (see PA-05 and ID-04).
"How is coverage counted?"
Coverage is the share of in-scope users with at least one registered passkey. Enabling the method does not move the number; registration does. Use the Authentication methods usage report as the source.
Cost Considerations
| Component | Cost Impact |
|---|---|
| License | None. Passkey/FIDO2 support is in all Entra tiers including Free. |
| Microsoft Authenticator passkeys | Free. Requires a compatible smartphone users already have. |
| FIDO2 security keys | Optional hardware, roughly $25-70 per key, only for users who need hardware-backed or shared-device passkeys. |
| Operational | Campaign management and help-desk support during rollout. |
Note: The cheapest path to majority coverage is Microsoft Authenticator passkeys on phones. Reserve hardware keys for admins and high-assurance users.
Related Controls
- ID-06: Complete Authentication Methods Policy Migration - Manage passkeys from the unified policy first
- ID-01: User MFA Registration - Overall method registration coverage
- ID-04: Require Phishing-Resistant MFA for All Users - Enforce passkeys once adoption is high
- PA-05: Require Phishing-Resistant MFA for Admins - Passkeys for the highest-risk accounts first