Passkey Authentication

Body

Passkey authentication is a secure way to sign in without using a traditional password. It is required for confidential data processors and individuals responsible for critical university business. However, all members of the BSU community are encouraged to use passkeys.

Instead of typing a password, passkeys use your device’s built-in security, such as Face ID, fingerprint, PIN, or screen lock, to verify your identity. Passkeys are one of the strongest forms of MFA and provide strong protection against phishing and stolen passwords.

Before you begin: IT will never ask for your password, MFA code, passkey, YubiKey, PIN, or recovery information.

Overview

Please read this Knowledge Base article carefully. Questions may be sent to itsupport@bridgew.edu.

Supported Passkeys

Windows Hello for Business

Windows Hello for Business is configured on all newly issued Windows laptops from the IT Division. It provides a secure, passwordless way to sign in to your Windows device and campus apps using a PIN, fingerprint, or facial recognition tied to your device.

Microsoft Authenticator App

The Microsoft Authenticator app supports passkeys, allowing you to sign in without a password. Passkeys stored in the app can be used to sign in to campus accounts by scanning a QR code on a Bluetooth-enabled device using a smartphone running Android 14 or later, or iOS 17 or later. 

Yubico YubiKey

A YubiKey is a small, secure USB device that lets you sign in with a passkey by plugging it in or tapping it. It stores passkeys safely on the device and supports USB or NFC authentication. YubiKeys are fast, phishing-resistant, and useful for anyone who wants a physical security key to protect campus accounts and data.

iCloud Keychain

iCloud Keychain can securely save and sync your passkeys across Apple devices, including iPhone, iPad, and Mac. Passkeys stored in your iCloud Keychain can be used to sign in to campus accounts by scanning a QR code on a Bluetooth-enabled device using an iPhone running iOS 17 or later.

Google Password Manager

Google Password Manager can save passkeys to your Google Account and sync them across Android devices and Chrome. Passkeys stored in your iCloud Keychain can be used to sign in to campus accounts by scanning a QR code on a Bluetooth-enabled device using an Android running 14 or later.

Return to top

Do I need a Passkey? How do I choose?

The best passkey option depends on the device you are using and your role or access requirements.

Device or situation Recommended passkey options
Personal device YubiKey, Microsoft Authenticator App, iCloud Keychain, or Google Password Manager. Windows Hello for Business cannot be used on personal devices.
BSU laptop Newly issued BSU laptops have Windows Hello for Business enabled and already store a passkey for authentication. If your laptop does not have Windows Hello for Business, the IT Division can provide a YubiKey or a new laptop.
Personal device, off-campus, no smartphone Email security@bridgew.edu to request a YubiKey.

Return to top

What is a syncable passkey?

Syncable passkeys make secure sign-ins feel effortless. Once saved to a trusted service like iCloud Keychain or Google Password Manager, your passkey can follow you across your devices, so you can sign in quickly using Face ID, Touch ID, fingerprint, or your device screen lock. It is a simpler, smoother way to access your account while still providing strong protection against phishing and stolen passwords.

Return to top

Configure Syncable Passkey

  1. Sign into https://aka.ms/mysecurityinfo.
  2. Click "Add sign-in method".Uploaded Image (Thumbnail)
  3. Select "Next".Uploaded Image (Thumbnail)
  4. Select "Next".Uploaded Image (Thumbnail)
  5. Before selecting "Continue", select "Change" and choose "iPhone, iPad, or Android Device"Uploaded Image (Thumbnail)Uploaded Image (Thumbnail)
  6. Turn on Bluetooth.Uploaded Image (Thumbnail)
  7. Open the Camera on your mobile device and scan the QR code.
  8. Follow the prompts on your mobile device.
  9. Name your passkey. Uploaded Image (Thumbnail)
  10. You are done.

 

Return to top

How do I configure the Microsoft Authenticator App to use a Passkey?

  1. Download and install the Microsoft Authenticator app from Apple’s App Store or the Google Play Store.
  2. Select your BSU account in the Microsoft Authenticator app.
  3. Select Create a passkey under Other ways to sign in. Create a passkey option in Microsoft Authenticator
  4. Select the Sign in button at the bottom.
  5. Sign in to your BSU account using MFA. Sign in to BSU account using MFA
  6. Your passkey is now set up and configured. Passkey setup confirmation

Return to top

Using your passkey from Microsoft Authenticator

  1. When prompted to enter your password while signing in, select Use your face, fingerprint, PIN, or security key instead above the sign-in button. Use face, fingerprint, PIN, or security key option
  2. Select iPhone, iPad, or Android device, then select Next. Select iPhone, iPad, or Android device
  3. If Bluetooth is not enabled, select Turn on Bluetooth when prompted. Turn on Bluetooth prompt
  4. Scan the QR code on your screen using your mobile device. Open your phone’s camera app, aim it at the QR code, and select Sign in with a passkey at the bottom of the phone screen.
  5. You will be signed in to your BSU account.

Return to top

How do I configure a Yubico YubiKey for my BSU account?

  1. Navigate to https://mysignins.microsoft.com/security-info. Microsoft Security Info page
  2. Select + Add sign-in method under Security Info. Add sign-in method
  3. Under Add a sign-in method, select Security Key.
  4. Under Security Key, select USB Device. Security key option USB device selection
  5. When the Windows Security window appears, select Security Key.
  6. Insert your YubiKey into your computer and enter your password. Insert YubiKey and enter password
  7. Touch the yellow center of your YubiKey to continue.
  8. Give your YubiKey a descriptive name you will remember. Name your YubiKey

Return to top

Using your YubiKey

  1. When signing in to your BSU account, enter your email address as you normally would. Enter BSU email address
  2. Select Use your face, fingerprint, PIN, or security key instead. Use face, fingerprint, PIN, or security key option
  3. Select Security key, insert your YubiKey into your computer, and enter your PIN to authenticate.
  4. Touch your YubiKey to complete authentication. Touch YubiKey to authenticate

Return to top

How do I enroll my BSU-owned device in Windows Hello for Business?

To enroll a BSU-owned device in Windows Hello for Business, follow the steps below.

  1. Submit your device information to security@bridgew.edu. Include one of the following:
    • Your computer’s hostname, typically found in system settings
    • Your laptop’s model number, if you are unable to locate the hostname
  2. Wait for configuration confirmation.
    • After your device has been properly configured, you will receive a confirmation email from the BSU IT Security Team.
  3. Complete enrollment on campus.
    • Bring your laptop to campus and reboot your device while connected to the BSU network.

The reboot will initiate the enrollment process for Windows Hello for Business and enable secure PIN-based authentication.

If you have questions or encounter issues during this process, please contact security@bridgew.edu.

Return to top

Common Issues

  1. QR code scanning: When using your passkey with the Microsoft Authenticator app, you will be prompted to scan a QR code. Scan the QR code with your phone’s camera or built-in scanner app. Do not scan it from within the Microsoft Authenticator app, because that scanner is used for a different MFA enrollment process.
  2. Unable to add a passkey: If you cannot add a passkey to the Microsoft Authenticator app, your phone or app may be out of date. Make sure your phone is running Android 14 or later, or iOS 17 or later, and update the Microsoft Authenticator app.
  3. Windows Hello for Business issues: If you use Windows Hello for Business, you may occasionally need to reboot your computer. It is recommended that you shut down your laptop at the end of the day instead of only closing the lid or using sleep, hibernate, or standby.
  4. Unable to sign in because computer does not have Bluetooth: Some passkey sign-ins require Bluetooth so your phone and the computer you are signing in from can confirm they are physically near each other. If the computer does not have Bluetooth, or if Bluetooth is turned off, you may not be able to complete sign-in using a phone-based passkey. In that case, try turning Bluetooth on, using a different device that supports Bluetooth, or signing in with another approved passkey method such as Windows Hello for Business or a YubiKey.
  5. Unable to use the YubiKey to sign-in because there is no port available: A YubiKey must be physically connected to, or tapped against, the device you are using to sign in. If your computer does not have a compatible USB port or NFC interface, the YubiKey may not work without an adapter. For example, some YubiKeys use USB-A, while many newer laptops only have USB-C ports. In that case, you may need a USB-A to USB-C adapter or a YubiKey model that matches the ports on your device. 

Return to top

```

Details

Details

Article ID: 165115
Created
Wed 3/19/25 9:55 AM
Modified
Wed 6/17/26 3:40 PM