Phishing-Resistant Methods - Setup and Use

Hardware Security Keys/YubiKeys

Security key best practices
(published on https://www.umsystem.edu/ums/is/infosec/security-keys )

Key Importance:

•Treat your security key with the same importance as a car key.
•Do not inscribe your name or any other meaningful personal information on the key. This includes stickers or keychains that contain said personally identifiable information.
PIN Security:
•A PIN is mandatory and should not be simplistic, such as “000000” or “123456.”
•Avoid writing the PIN on a sticky note; instead, create a memorable code that doesn’t require physical or electronic documentation.
•Do not disable interfaces to circumvent the PIN prompt.
•The minimum PIN length is 6 characters, with a preference for 8 or more alphanumeric characters.
•PINs must not contain any personal identifiers like Employee ID, Social Security number, phone number or any details related to the key owner.

Key Custody:

•Never leave your YubiKey or other security key unattended.
•When traveling, keep the key separate from your laptop; for example, if the laptop is in a bag, carry the key in your pants pocket, purse or another carrying method.
Key Storage:
•Upon stepping away from your laptop or computer, remove the key and store it securely, preferably on your person.
•Do not keep your security key attached to your name badge/University ID card.

Public Use Precautions:

In public settings, be cautious of onlookers when entering your PIN. Physically rotate yourself 90 degrees to shield the PIN entry from view as you type it.

Authentication Methods:

After both the security key and the Microsoft Authenticator application have been configured on the account, visit mysignins.microsoft.com to remove the SMS and phone call authentication options from your account. These methods are less secure.

Loss Prevention:

•In case of a lost or stolen key, report it immediately to the Division of IT by contacting the IT Help Desk.
•And as soon as possible remove the security key as an authentication method from your account.
•Login to mysignins.microsoft.com with your alternative multi-factor method (i.e. Microsoft Authenticator.
•Select “Security info.”
•Click on “Delete” next to security key/method for the device that was lost or stolen.
•Click “OK” to confirm deletion of security key.

Security Key Setup

The registration process to set up a YubiKey is the same for Windows, MacOS (using a Chrome browser) and mobile devices. However, MacOS requires that a PIN be set on the security key prior to registering the key with Microsoft. Scroll down for instructions for setting a PIN on MacOS.

Microsoft Multi-Factor Authentication (MFA) registration

1.Go to mysignins.microsoft.com.
2.Select “Security info.”
3.Click “Add sign-in method.”
4.Select “Security key” and click “Add.” (you may be asked to sign in again)
5.Choose “USB device.”
6.Have your key ready to plug into the USB port and click “Next.”
7.You will be directed to another splash page. Choose “Security key.”
8.Click “Next.”
9.Click “OK” twice.
10.Insert the security key into the USB port.
11.Set a PIN that is at least 8 characters. It should be a combination of numbers and letters. See PIN Security for recommendations for selecting a secure PIN.
12.Touch your security key that is still plugged in.
13.Click “OK” to be redirected to back to the “My Sign Ins” Security info page.
14.Name your security key. This name will be displayed on the Security info page so you can identify your security key.
15.The key is now set up.

Setting a PIN on MacOS

If you are using MacOS with Safari, a PIN must be set on the security key prior to registering the key with Microsoft. You must have software installed (i.e. YubiKey Manager) and be able to run that software as Administrator. For employees with MacOS, contact your IT staff to assist in establishing the PIN using the IT Pro workstation and process below.

1.Install the Yubico Authenticator app.
2.Once installed, open Yubico Authenticator and click on the shield icon on the left.
3.Next, click "Set PIN" to the right under "Manage."
4.Enter a PIN and click "Save."
5.You will notice that it now shows "Change PIN" under "Manage."

Security Key Use

Step 1: Start Sign-In

•Go to the application or Microsoft sign-in page (for example, Microsoft 365 or a university app).
•Enter your university email address.
•Select Next.

Step 2: Choose the Security Key Sign-In Option

•When asked how you want to sign in, select:
•Security key, or
•Use a security key, or
•Sign in another way → Security key

Step 3: Insert or Activate Your Security Key

•Depending on your key type:
•USB Security Key - Insert the security key into the USB port on your computer.
•NFC Security Key - Hold the key near the NFC reader on your device.

Step 4: Complete the Security Key Prompt

•When prompted, tap or touch your security key.
•If your key has a PIN, enter it.
•If your key has a button or touch surface, press it when prompted.

You are now signed in — no password required.

Microsoft Authenticator Passkeys

The Microsoft Authenticator application allows a passkey to be created on a mobile device to be used on that device and authenticate to other devices using a QR code and a Bluetooth connection.

Microsoft Authenticator Passkey Setup

https://support.microsoft.com/en-US/authenticator/download-microsoft-authenticator
https://support.microsoft.com/en-us/account-billing/set-up-a-passkey-in-microsoft-authenticator-0a992136-5909-4230-8232-91b0a55a92eb
https://tdx.umsystem.edu/TDClient/36/DoIT/KB/PrintArticle?ID=1536

What You Need Before You Start

•A university Microsoft work or school account
•A mobile device with:
oiOS 17 or later, or
oAndroid 14 or later
•The Microsoft Authenticator app installed and updated
•Your phone must have:
oA screen lock (PIN, fingerprint, or face recognition)
•Your university must allow passkeys for sign-in (most universities using Entra ID do)

Important Notes for University Users

•Passkeys are device-specific. If you get a new phone, you must create a new passkey. [lazyadmin.nl]
•You may still keep a password or security key as a backup.
•You can have multiple accounts (student, employee, guest) in Authenticator.
•If you lose your phone, contact your university IT Help Desk for recovery.

Option 1 (Recommended): Set Up a Passkey Directly in the Authenticator App

This is the easiest and fastest method.

Step 1: Install or Open Microsoft Authenticator

•Download Microsoft Authenticator from the Apple App Store or Google Play Store (if not already installed).
•Open the app. [support.mi...rosoft.com]

Step 2: Add Your University Account (If Not Already Added)

•If prompted, select Add account.
•Choose Work or school account.
•Sign in with your university email and complete any MFA steps required. [learn.microsoft.com]

Step 3: Create a Passkey

•In the Authenticator app, tap your university account.
•Select Create a passkey.
•When prompted, approve with:

oFingerprint, face recognition, or device PIN. [learn.microsoft.com]

Step 4: Enable Authenticator as a Passkey Provider (First-Time Setup)

•Follow the on-screen instructions to allow Microsoft Authenticator to store passkeys on your device.
•On iOS or Android, ensure AutoFill Passwords and Passkeys is enabled and Microsoft Authenticator is selected. [learn.microsoft.com]

Step 5: Finish Setup

•When completed, you’ll see Passkey added for your university account.
•Your passkey is now ready for sign-in.

Option 2: Set Up a Passkey from a Browser (Laptop or Phone)

Use this method if you prefer starting from a web page.

Step 1: Go to Security Info

•On any device, open: https://aka.ms/mysecurityinfo
•Sign in with your university account. [support.mi...rosoft.com]

Step 2: Add a Sign-In Method

•Select Add sign-in method.
•Choose Passkey in Microsoft Authenticator.
•Click Next.

Step 3: Complete Setup in Authenticator

•Open the Microsoft Authenticator app on your phone.
•Select your university account.
•Tap Create a passkey and approve the request.

Step 4: Confirm

•Return to the browser and confirm completion.
•You should now see Passkey listed under your sign-in methods.

Enable Passwordless Sign-In

Enable Passwordless Sign-In in Microsoft Authenticator

This enables sign-in without entering your password using phone approval.

Step 1: Install and Open Microsoft Authenticator

•Install Microsoft Authenticator from the App Store or Google Play (if needed).
•Open the app. [learn.microsoft.com]

Step 2: Add Your University Account

•Tap Add account (or +).
•Select Work or school account.
•Sign in with your university email and password one last time, and complete MFA if prompted. [learn.microsoft.com]

Step 3: Turn On Passwordless Phone Sign-In

•In Authenticator, tap your university account.
•Select Turn on phone sign-in (or Enable passwordless sign-in).
•Approve the request using your device PIN or biometrics.
Microsoft Authenticator Passkey Use
What You Need Before You Start
•Microsoft Authenticator App with Passkey already created
•If logging into a device that is not the device with the Authenticator App you much

oHave Bluetooth enabled on your device with Microsoft Authenticator
oHave Bluetooth enabled on the device you are trying to login to

Sign In on a Different Device Using a Microsoft Authenticator Passkey

If you created a passkey in Microsoft Authenticator on your phone, you can use it to sign in on another device (such as a laptop, classroom PC, or shared workstation) without entering a password. This is called cross-device passkey sign-in.

Step 1: Start Sign-In on the Other Device

1.On the other device (for example, a laptop), go to the Microsoft sign-in page (such as Microsoft 365, Outlook on the web, or a university application).
2.Enter your university email address.
3.When prompted for a sign-in method, choose:

oSign in with a passkey, or Use a different device (wording may vary).

Step 2: Choose Cross-Device Sign-In

1.The sign-in screen will prompt you to sign in using a phone, tablet, or security key.
2.Select Phone or tablet (or similar).
3.A QR code appears on the screen.

Step 3: Scan the QR Code with Your Phone

•On iOS

1.Open the Camera app (not Authenticator).
2.Scan the QR code shown on the other device.

•On Android

oYou can use the Camera app, or
oOpen Microsoft Authenticator, tap your account, and scan the QR code if shown as an option.

Step 4: Approve with Your Passkey

1.Your phone prompts you to confirm the sign-in.
2.Approve using:

oFace recognition
oFingerprint
oDevice PIN

You are now signed in on the other device — no password required.

Windows Hello For Business (WHFB) (Domain-joined Windows OS)

WHFB Setup

Windows Hello is a secure sign-in method built into Windows that lets you access your device using a PIN, fingerprint, or facial recognition. A PIN is the most common option and is required before you can enable biometrics.

What you need before you start:

•You are signed in with a Microsoft account or work/school account
•Your device is running Windows 10 or Windows 11
•You have administrator access (for managed work devices, IT policies may apply)

Set up a Windows Hello PIN

Step 1. Open Windows Settings

1.Click Start
2.Select Settings ( icon)

Step 2. Go to Sign‑In Options

1.Select Accounts
2.Click Sign‑in options

Step 3. Locate Windows Hello PIN

1.Under Ways to sign in, find PIN (Windows Hello).
2.Click Set up (or Add if it’s already partially configured)

Step 4. Verify Your Identity

Windows will prompt you to confirm your identity:
Enter your account password (Or verify with an existing sign‑in method if prompted)
This ensures only you can create or change the PIN.

Step 5. Create Your PIN

1.Enter a new PIN using the listed PIN requirements
2.Confirm the PIN
3.Click OK or Confirm when finished.

Your Windows Hello PIN is now set up.

Optional: Add Biometric Sign-In (After PIN Setup)

Once a PIN exists, you can enable:

•Fingerprint recognition
•Facial recognition

Go back to: Settings → Accounts → Sign-in options, then select the biometric option you want.

Setting up Fingerprint recognition

Before you start, make sure you have:

•A device with a Windows Hello–compatible fingerprint reader
•Windows 10 or Windows 11
•A Microsoft account or work/school account
•A Windows Hello PIN already created
•Required permissions (work devices may have IT restrictions)

Step 1. Open Windows Settings

1.Click Start
2.Select Settings ( )
2. Go to Sign-In Options

1.Select Accounts
2.Click Sign-in options
3. Select Fingerprint Recognition

1.Under Ways to sign in, find Fingerprint recognition (Windows Hello).
2.Click Set up
3.Select Get started
4. Verify Your Identity

Step 4. Verify Your Identity

Windows will prompt you to confirm your identity:

Enter your account password (Or verify with an existing signin method if prompted)

5. Enroll Your Fingerprint

1.Place your finger on the fingerprint reader
2.Lift and rest your finger repeatedly as instructed
3.Adjust finger position slightly during each scan
4.Windows will notify you once enrollment is complete.
5.Click Close to finish.

Fingerprint recognition is now enabled.

Setting up Facial recognition

Before you begin, ensure the following:

•You are signed in with a Microsoft account or work/school account
•A Windows Hello–compatible camera is installed (IR camera required)
•A Windows Hello PIN is already set up
•Your device has Windows 10 or Windows 11
•Organizational policies (for work devices) allow Windows Hello

Step 1. Open Windows Settings

1.Click Start
2.Select Settings ( icon)

Step 2. Go to Sign‑In Options

1.Select Accounts
2.Click Sign‑in options

Step 3. Select Face Recognition (Windows Hello)

1.Under Ways to sign in, find Facial recognition (Windows Hello).
2.Click Set up
3.Select Get started

Step 4. Verify Your Identity

Windows will prompt you to confirm your identity:
Enter your account password (Or verify with an existing sign‑in method if prompted)

Step 5. Scan Your Face

•Sit facing the camera at eye level
•Remove hats, masks, or sunglasses

•Look directly at the camera
•Windows will scan your face automatically. This typically takes a few seconds.
•Once complete, select Close.

Facial recognition is now enabled.

Optional: Improve Recognition Accuracy

If recognition is slow or inconsistent:

1.Go to Settings → Accounts → Sign-in options
2.Select Facial recognition (Windows Hello)
3.Click Improve recognition
4.Complete the additional scan (You can do this with or without glasses)

WHFB Use

You may be prompted to verify your identity using one of the following:

•Facial recognition
•Fingerprint recognition
•Windows Hello PIN

Windows automatically selects the fastest available method, but you can switch methods if needed.

Option 1: Windows Hello PIN

If biometrics are unavailable or fail:

1.Select More choices (if prompted)
2.Choose PIN
3.Enter your Windows Hello PIN

Your identity is verified.

Option 2: Facial Recognition

1.When prompted, look directly at your device’s camera
2.Keep your face unobstructed (no mask or sunglasses)
3.Wait for Windows to recognize you

Once recognized, the action continues automatically.

Option 3: Fingerprint Recognition

1.Respond to the Verification Prompt
2.Scan Your Fingerprint
3.Place your enrolled finger on the fingerprint reader
4.Hold steady until verification completes

Once recognized, Windows automatically allows the action to continue.