Forum Discussion

Mario_Morel's avatar
Mario_Morel
Copper Contributor
Jan 28, 2024

Authentication Methods - FIDO2 & Authenticator Not Working Together

The issue is that my users are having trouble using the Microsoft Authenticator for authentication specificallly after they are being added to the FIDO2 authentication method.

 

Before that, Authenticator works fine. But after being added to FIDO2, when they try to sign in, the "Authenticator" option is no longer visible. The only option is with the security key (and passkey). {And when I remove a user from FIDO2, the Authenticator option comes back.}

 

Is there a way during sign in to offer both options to users?

  • JosvanderVaart Kidd_Ip : Thanks Jos and Kidd for looking into this for me. Greatly appreciated.

     

    I think I figured a way around.

     

    1. When I get to the "Sign in with your passkey" dialog, where it offers only passkey and security key, I click on "Cancel". (I have a security key setup, but I still want the option to sign in with Authenticator, in case the security key is not available.)

     

     

    2. It gives an error message, but also offers other ways to sign in.

     

     

    3. Next, I have the Authenticator option.

     

     

     

    Overall, it works. It is just that it is not an intuitive way to go about it.

     

    Thanks again for your help.

     

    mario

  • Theoretically, this should work. If both authentication methods are allowed and the user has configured both then they should be able to choose which one to use. Can you share with us how the Authentication methods in Entra ID are set up now?
    • Mario_Morel's avatar
      Mario_Morel
      Copper Contributor

      Thanks Jos for your reply.

      Yes, both authentication methods are allowed.

      Here are screenshots from Entra ID:

       

      • JosvanderVaart's avatar
        JosvanderVaart
        Iron Contributor
        HI Mario, thanks for sharing the screenshots. I see no strange things here and so it should work. When a user chooses a certain method it will automatically appear next time. Doesn't the user have the option to choose another option? Can you also share the login screen with us?
  • Mario_Morel's avatar
    Mario_Morel
    Copper Contributor

    JosvanderVaart Kidd_Ip : Thanks Jos and Kidd for looking into this for me. Greatly appreciated.

     

    I think I figured a way around.

     

    1. When I get to the "Sign in with your passkey" dialog, where it offers only passkey and security key, I click on "Cancel". (I have a security key setup, but I still want the option to sign in with Authenticator, in case the security key is not available.)

     

     

    2. It gives an error message, but also offers other ways to sign in.

     

     

    3. Next, I have the Authenticator option.

     

     

     

    Overall, it works. It is just that it is not an intuitive way to go about it.

     

    Thanks again for your help.

     

    mario

    • Hernan_Jimenez's avatar
      Hernan_Jimenez
      Copper Contributor

      Mario_Morel Mario, I agree...it is not an intuitive way to go about it. In my organization, we're transitioning from Cisco Duo to Microsoft. Management has decided to give users the Either/Or option since having both methods registered in your MFA profile, will prompt to an error before choosing "Other ways to sing in".  So our end users will either choose authenticator app + recovery method (email OTP), or FIDO2 Key + recovery method. 

      In Cisco Duo, both registered methods worked smoothly, plus the Geographical Location map is more accurate than the Microsoft map. Accuracy is important if you're trying to teach end-users to be vigilant of the login location. 

      • Mario_Morel's avatar
        Mario_Morel
        Copper Contributor

        Thanks for your comment, Hernan. We went through conversion from Duo to Authenticator a couple of years ago. We really liked Duo and it was sad at the time. But once things stabilized, we felt it was the right thing to do. I hope it will be the same with your organization.

        And yes too about giving a FIDO2 key option to some users. We had people working in an industrial plant, and just having a key with them was so much easier.

    • Jeff_Birks's avatar
      Jeff_Birks
      Copper Contributor

      I believe the issue is related to the Microsoft automatically selecting the most secure method as the default authentication method.  In this regard the Fido is the more secure method so Microsoft should indeed use it as a default, however it would be nice to be able to select a different default.

Resources