Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


These new methods are configured on your Microsoft 365 Security Info page.


  • After authenticating with a Passwordless method, Microsoft will make that your default authentication (overriding your default method on your Security Info page).

    • You can still authenticate with your password + MFA method by clicking Other ways to sign in when prompted for your passwordless method.

Phone Sign-In (Microsoft Authenticator)

This is an evolution of the push notification method in Microsoft Authenticator. After submitting your email address, you will be asked to approve the sign-in and enter a specific number in Microsoft Authenticator.


  • This method requires device registration, which establishes a trust relationship between your mobile device and CIT's Microsoft systems. This makes it possible for CIT to enforce certain security settings on your device. It does not allow CIT to remotely access or wipe your device. More details on this can be found at Microsoft's page for Azure AD Registered Devices.

  • You will no longer be able to approve logins with your Apple Watch.

    • This limitation is on Microsoft's roadmap to fix, and CIT will update this document once the fix implemented.

  • Only one Microsoft work/school account per Microsoft Authenticator can have Phone Sign-In enabled.

  • Your Microsoft Authenticator accounts are not backed up or transferable to another device.

    • There is an advanced feature that allows iPhone users to sync their accounts to iCloud if they also add a personal Microsoft account to Microsoft Authenticator. CIT does not recommend this feature; it did not play well with Phone Sign-In and device registration in testing.


  1. If you have not already, download the Microsoft Authenticator app from your mobile device app store, and connect your Microsoft Authenticator app to your Geneseo account.

  2. Follow Microsoft's guide to enable phone sign-in.


There are two methods for removing Phone Sign-In and depend on if you're migrating to a new mobile device or not:

  • Unregister your device if you are migrating to a new mobile device:

    • Microsoft Authenticator settings → Device Registration

    • Tap Unregister device.

  • Disable Phone Sign-In if you want to retain device registration:

    • Tap your Microsoft Authenticator account with Phone Sign-In

    • Tap Disable phone sign-in

FIDO2 Security Key (WebAuthn)

These are USB/NFC devices with a button that users are prompted to unlock with a PIN and tap during login. They store secret cryptographic keys for accounts registered via the WebAuthn protocol. The most popular compatible devices are Yubikey Security Key Series.


  • Limited support for Apple products


    • Zero iOS support

    • macOS support only in Microsoft Edge and Google Chrome

  • Microsoft requires your security key have a PIN; you will be prompted to create one during registration if your security key does not already have a PIN.


MacOS users should click skip and close the window that appears when they first plug in a security key. (MacOS will try to identify the key as a keyboard.)



Microsoft has timeouts at various stages of the registration process, and tends to show a confusing error if you hit a timeout. Please click cancel and go through the registration process again if you see the following error.

Image Modified


From your Microsoft 365 Security Info page, click Delete on the security key you want to remove.

Related articles

Filter by label (Content by label)



cqllabel in ( "self-help" , "mfa" , "account" , "password" , "sign-in" , "microsoft" ) and type = "page" and space = "


Include Page


More Help


More Help
Page Properties

Owner (area)

Support Services

Reviewed by

Former user (Deleted)

Rose Mournighan

Review Date