Forum Discussion
Doubt about passwordless authentication
I have security keys enrolled for the users on my organization. Now I want them to sign in to an app with delegated access. They are able to open the app, it redirects to the Microsoft login page, th...
Entra ID or the Yubikey do not provide this pin. Windows requires a pin to be used for authentication with a FIDO2 key.
JosvanderVaart Not really. When you are trying to authenticate to Entra ID, the Entra ID creates something called publicKey Options. The public Options contain three major fields, 'challenge', 'rpId', and 'UserVerification'. The challenge is a random cryptographic challenge. The UserVerification governs whether the PIN is required. UserVerification can have any one of the three values 'required', 'preferred' or 'discouraged'. If it is required or preferred, Windows asks for the Pin of the Yubikey. If it is 'discouraged', it doesnt. I tried to inspect the publicKey options created by Entra ID and it always contains UV to be 'required', that enforces the PIN. If there is a way for Entra ID to create the publicKey options with UV 'discouraged', it wont ask for the pin. I am asking whether there is a way to configure that.
(Reference: Web Authentication API from MDN docs)
