Passwordless with Enterprise Passkey

Pairing a HYPR Enterprise Passkey

Previously, pairing a workstation to a HYPR Enterprise Passkey required additional steps involving Entra. With Third-Party Passkey Provider (3PPP), HYPR creates the Entra passkey during setup based on your signed-in Windows/Entra identity. You may be prompted once to enable the mobile Credential Provider; no separate registration in the Entra portal is required.

Take Only One

The HYPR Mobile App supports only one Entra passkey credential per device. You may still register other FIDO2 passkeys to the account; just not another Entra Passkey.

Biometrics for Passkeys

Using a HYPR Enterprise Passkey requires your mobile device to have biometrics enabled. Before setting up a passkey, check that biometrics are enabled on your mobile device. You will also need to set up at least one type of biometrics data (e.g., face or fingerprint).

Passkey Provider Pop-up

In the HYPR Mobile App, when registering a passkey for the first time, you will be prompted to enable the Credential Provider:

Tap Enable Provider to be able to register and authenticate using a passkey.

Setting Up Third-Party Passkey Provider (3PPP)

New Feature

Third-Party Passkey Provider support is a new feature. This feature is subject to change as development continues.

Prerequisites

HYPR Tenant Configuration

Before users can set up 3PPP, the following must be configured by HYPR Support:

Required Feature Flags:

• FIDO2_MOBILE_3PPP_ENABLED - Enables 3PPP functionality
• AZURE_PROVISION_API - Enables Entra ID passkey provisioning
• FIDO2_MOBILE_AUTHENTICATOR - Enables mobile authenticator support
• ANDROID_BIOMETRIC_PROMPT_SECURITY - Required for Android biometrics
• RP_APP_WORKSTATION_ENABLED - Enables workstation app functionality

Contact HYPR Support

These feature flags must be enabled by HYPR Support before 3PPP can be used. Contact your HYPR Account Manager or Support to enable these features.

Entra ID Configuration

The following must be configured in your Entra ID tenant:

1. Enable FIDO2 Security Keys:

   • Navigate to Entra Active Directory → Security → Authentication methods
   • Click on Passkey (FIDO2) authentication method policy
   • Enable security keys and set to Include All users
   • Leave registration as Optional

2. Configure FIDO2 Settings:

   • Set Enforce attestation to your organization's preference (HYPR supports both True and False)
   • Ensure Allow self-service setup is enabled

3. For Hybrid-Joined Workstations:

   • Enable AES256_HMAC_SHA1 on Domain Controllers
   • Configure Active Directory and Entra to support Entra AD Kerberos
   • Install the Azure AD Kerberos PowerShell module
   • Configure support for administrative accounts (by default, high-privilege accounts can't use security keys)

Workstation Requirements

• Windows 10/11 with supported patch levels
• Entra-joined or Hybrid-joined workstation
• HYPR Passwordless for Windows 10.3.0+ installed
• For hybrid-joined: healthy on-premises AD connectivity
• Mobile device with iOS 17+ or Android 15+ and biometrics enabled

3PPP Setup Process

Entra-joined devices

1. Verify HYPR tenant configuration
   • Contact HYPR Support to confirm required feature flags are enabled
   • Verify your tenant has an active Entra ID integration configured
   • Ensure the integration is enabled in HYPR Control Center
2. Configure Entra ID (if not already done)
   • Enable Passkey (FIDO2) authentication method and target intended users/groups
   • Configure FIDO2 settings including attestation per policy
   • Verify join status with dsregcmd /status (AzureAdJoined: YES; DomainJoined: NO)
3. Install and configure HYPR Passwordless
   • Download and install HYPR Passwordless for Windows from your tenant
   • Ensure the workstation is Entra-joined and meets patch requirements
   • Verify network connectivity and required permissions
4. Enable the mobile Credential Provider
   • In the HYPR One mobile app, ensure the Credential Provider is enabled when prompted and grant camera, Bluetooth and biometric permissions

Hybrid-joined devices

1. Verify HYPR tenant configuration
   • Contact HYPR Support to confirm required feature flags are enabled
   • Verify your tenant has an active Entra ID integration configured
   • Ensure the integration is enabled in HYPR Control Center
2. Configure Entra ID and DC prerequisites
   • Enable Passkey (FIDO2) authentication method and target intended users/groups
   • Configure FIDO2 settings including attestation per policy
   • On Domain Controllers, enable AES256_HMAC_SHA1 and configure Entra AD Kerberos (install Azure AD Kerberos PowerShell module)
   • If needed, enable security key sign-in for administrative/high‑privilege accounts per Microsoft guidance
3. Prepare the workstation and policies
   • Verify dsregcmd /status shows Hybrid Azure AD Joined (AzureAdJoined: YES; DomainJoined: YES)
   • Ensure line‑of‑sight to on‑prem AD at login (direct or VPN as policy allows)
   • Via Intune/Group Policy, enable Windows sign‑in with security keys (FIDO2 Credential Provider) on hybrid devices
   • Ensure no certificate templates or CBA enforcement policies are applied that would force x509 instead of passkeys
4. Enable the mobile Credential Provider
   • In the HYPR One mobile app, ensure the Credential Provider is enabled when prompted and grant camera, Bluetooth and biometric permissions

3PPP Functionality

• HYPR One acts as a native passkey provider on iOS and Android, enabling Entra login across Windows OS and browsers
• Session passkey SSO is available after desktop login; QR fallback is available when proximity cannot be established
• Only one Entra passkey per device is supported; other FIDO2 passkeys may coexist
• Identity alignment: The Windows account/Entra tenant you use during pairing determines which Entra identity the passkey is created for
• Works with both Entra-joined (cloud-only) and hybrid-joined workstations/accounts
• Managed devices/workstations: ensure MDM does not block passkey providers, Bluetooth proximity, camera access, or associated domains

Troubleshooting

If no Passkey Appears in My Passkeys After Pairing

1. Verify Feature Flags: Contact HYPR Support to confirm FIDO2_MOBILE_3PPP_ENABLED is enabled
2. Check Mobile Credential Provider: Ensure you have enabled Credential Provider when prompted by the pop-up in the HYPR One Mobile App
3. Verify Biometrics: Ensure device biometrics are set up; passkeys require biometrics
4. Confirm Identity Alignment: Check the Windows user and Entra tenant are correct:
   • In Windows: Settings → Accounts → Access work or school (and whoami /upn)
   • If you paired while signed into a different Windows/Entra profile, the passkey may be associated with that identity
   • To correct: remove any unintended Entra passkey from HYPR One (My Security Keys), sign into Windows with the intended Entra user, then re-run pairing
5. Check App Permissions: Verify camera, Bluetooth/proximity permissions are granted
6. Verify Workstation Status: Ensure workstation is Entra-joined or hybrid-joined and running supported HYPR Passwordless version
7. MDM Policies: If managed, ensure MDM policies do not block passkey providers or required associations
8. Hybrid-joined Specific: Verify workstation has healthy on-premises AD connectivity and hybrid trust (device shows "Hybrid Azure AD Joined" in Entra ID)

Pairing with HYPR on a Domain-joined Workstation

1. Login to Windows as an Entra cloud-only or hybrid account (i.e., carol.shaw@highlands_entra.com).

2. Launch the HYPR Passwordless client.

3. Click Start Pairing.

   

4. Scan the QR code on the screen. You will be prompted to authenticate on your device.

   

5. Wait for the pairing to be completed.

   

6. You will be notified once the pairing has been established successfully.

   

7. HYPR Passwordless client returns to the main screen, now displaying your paired device. The device’s HYPR Mobile App menu now contains your workstation account in the My Computers section.

For more information about pairing your mobile device, see HYPR Passwordless and the HYPR Mobile App

Invitation Emails

Unlike other integrations' enrollment processes, HYPR Enterprise Passkey does not send invited users a link to pair with Device Manager. Instead, the email is informational only, and the link provided connects to this article.

Logging In with HYPR Enterprise Passkey

Logging In to Windows

The experience for logging in to your desktop with the HYPR Enterprise Passkey is tied closely to the HYPR Mobile Application experience.

See Tap to Login and Unlocking/Locking for the full step-by-step guide.

2-Step Enterprise Passkey Login (Cross-Platform)

1. On your workstation, navigate to the Microsoft login screen (login.microsoft.com in your browser or otherwise).

   

2. When prompted, select Sign-in options:

   

3. Select Face, fingerprint, PIN or security key.

   

4. When prompted how you would like to sign in, select iPhone, iPad, or Android device and click Continue.

   

5. You will be shown a QR code. To continue, scan the QR code using your device's camera.

   

   If you are using the HYPR One mobile app to scan the QR code, make sure that the app has access to the camera (tap Allow if prompted):

   

6. Tap Continue if prompted to connect to your other device.

   

7. Tap Continue when prompted to sign in with your passkey.

   

   If the mobile device is within the distance proximity limit and the user passes the biometrics check, they will be logged in to their Microsoft account:

   

Logging In to Entra Protected Content on Mobile

1. On your mobile device, navigate to the Microsoft Sign in screen (via browser or app like Copilot), enter your email address and tap Next.

   

2. Tap Next again and then tap Continue when prompted to sign in with your passkey.

   

If the mobile device is within the bluetooth proximity limit and the user passes the biometrics check, the user will be logged in to their Microsoft account.