Blog

Beware of the Passkey Dialog: Not All Options Are FIDO2 Security Keys

Name: Token2 C301-i programmable hardware token for Office 365 and Azure MFA
Brand: Token2
SKU: t2-51
Price: 21 EUR
Availability: InStock
Rating: 5 (4752 reviews)

29-01-2025

When setting up a passkey on Windows, the standard authentication dialog often presents multiple options for storing credentials.

However, not all of these options correspond to physical FIDO2 security keys, which can lead to confusion—even for experienced users.

Understanding the Options

When prompted to add a passkey, Windows may display choices such as:

Security Key – This refers to a physical FIDO2 hardware key (such as Token2 devices).
This Device – Often represents the built-in TPM (Trusted Platform Module) of your laptop or PC, which securely stores credentials locally.
Windows Hello – Includes biometric authentication methods such as fingerprint or facial recognition.

Additional Complexity from Browsers

Some browsers have made this process even more complex before reaching the OS dialog. The system now defaults to using a Chrome-based platform authenticator passkey (Google Password Manager). To proceed with a physical security key, you need to select "Save another way" before accessing the correct OS options.

Why It Matters

Many users intend to register a FIDO2 security key but unknowingly select “This Device”, assuming it’s the same thing. This results in credentials being saved to the TPM of the laptop instead of the security key. Later, when trying to use the passkey on another device, they realize it’s unavailable because it was never stored on a physical key.

Best Practice: Always Select "Security Key"

When registering a passkey, carefully review the options in the Windows authentication dialog.
Always select Security Key to use a FIDO2 hardware device.
If you accidentally register a credential to the local TPM, you may need to remove it and re-register using the correct option.

Visual Examples

Here are some screenshots illustrating where the dialog appears and how to choose the correct option:

And our favorite is shown below. To access the Security Key dialog and add your FIDO2 key to your Live.com account, you'll need to click at least seven more times:

guides

Did you know?

Token2 is offering currently the most secure FIDO2 keys for enterprise customers, known as the PIN+ Series FIDO2 keys. These keys, certified by the FIDO alliance, enforce PIN complexity at the firmware level. This unique feature is not available with other keys, even those marked as FIPS-certified.