Enroll a new device
Overview
passkey enrollment is the process of securely creating a passkey on a new (second) device, using an already trusted (first) device for authorization. Users enrolled in Beyond Identity can perform passkey enrollment if permitted by their organization's security policy. This policy is managed by tenant administrators.
Creating passkeys on new devices allows you to securely access all of your Beyond Identity-protected applications directly from those devices.
passkey enrollment helps end users maintain additional devices, passkeys, or both if a primary device no longer has a passkey. This method streamlines enrollment and reduces dependency on external factors. It helps when resources like email or IdP aren't available while still maintaining our high-security standards.
Prerequisites
To use passkey enrollment in Beyond Identity as an end user, the following conditions are required.
End users
- Beyond Identity Platform Authenticator installed with a passkey on any of these operating systems: macOS, iOS, Windows, Android, Linux
- The Beyond Identity Platform Authenticator version
2.103.0is the most recently supported version - Both trusted and untrusted devices must have the supported Beyond Identity Platform Authenticator version installed
- Download the most recent version of the Beyond Identity Platform Authenticator
- The Beyond Identity Platform Authenticator version
Only enroll passkeys on devices you control.
Why initiate self enrollment from an untrusted device?
In Secure Access, passkey enrollment begins on the new (untrusted) device. The user generates a QR code or a 9-digit code on that device and enters it into an existing trusted device to authorize the creation of a new passkey.
This flow is more secure than initiating from a trusted device because it ensures the new device must be physically present and under the user’s control during enrollment. The trusted device doesn’t blindly push passkeys out. Instead, it only responds to explicit requests from a device that the user has verified in-person. This prevents scenarios where a malicious actor could trick a trusted device into provisioning passkeys to a remote or spoofed device.
Coming from Secure Work? See the Migrating passkey guides
Stage summary
The process for passkey enrollment covers different steps for IT administrators and end users. The sections below include sections and steps to complete the setup.
Beyond Identity Console setup
The stages below are for administrators to prepare user groups with the ability to enroll their own passkeys on to other devices.
Group creation for passkey enrollment
As a security best practice, configure this feature for a smaller number of users within a group. With this functionality available for a smaller number of users at first, you can test this in a more controlled environment first. After successful testing, you can then configure this for a larger group or more groups as needed.
View the Groups document for more information on managing Groups in Beyond Identity. The steps below cover creating a small group of users first to test.
- On the Beyond Identity Console, navigate to Groups under the Directory section of the left side navigation.
- Click Add Group.
- Input
Authorize Credential Enrollmentas the name for the Group and add a description. - Click Add Group.
- Scroll down to the newly added Group at the bottom of the Group table and click on the name to go to group details.
- Click Add group member to add Identities to the group.
As a security best practice, configure this feature for a smaller number of users within a group. With this functionality available for a smaller number of users at first, you can test this in a more controlled environment first. After successful testing, you can then configure this for a larger group or more groups as needed.
Configure policy for passkey enrollment
Before end users are able to use passkey enrollment, use policy rules for the transaction of Authorize Credential Enrollment to create protections against passkey abuse.
Learn more about passkey enrollment policies in the Credential Enrollment Policy Guide
Passkey enrollment for devices
End users with existing passkeys can add their passkey to new devices using passkey enrollment. This functionality is available after IT administrators for the organization configure policy for authorized passkey enrollment. The sections below cover the steps to download and install the Beyond Identity Platform Authenticator to the new device, then to initiate the communication between devices for passkey enrollment.
Initiate passkey enrollment on trusted device
The steps below are for beginning the passkey enrollment on the trusted device. This involves opening the Beyond Identity Platform Authenticator on that device.
- On the Beyond Identity Platform Authenticator, select the specific passkey to extend.
- Select the Set up other devices button at the bottom of the selected passkey.
- On the operating system pop up, click Yes, extend my passkey to confirm.
- Follow the steps from the Platform Authenticator and begin the next section of passkey enrollment.
Coordinate enrollment on untrusted device
This section is for generating QR codes or nine digit codes to input to the trusted device. When the devices communicate and confirm authentication and authorization, the passkey extends from the trusted device to the new device. Follow the steps below to complete the process.
- On your new device, Click + button or Enroll with existing device if you just downloaded the app.
- Click Generate QR/9 Digit Code.
- You will be presented with a QR and 9 Digit Code.
- On the trusted device, use the device's camera to scan this QR code or input the nine digit code.
Success! Congratulations, you've completed your passkey enrollment to a new device!
For Policy denied errors, contact your administrator for support.