This article explains how the ProtectionPolicy registry key can cause Beyond Identity Platform Authenticator passkeys to become invalid after a forced Windows password reset, and provides steps to identify and resolve the issue.
Overview
Forced password resets initiated through Active Directory or third-party identity tools can invalidate existing Beyond Identity Platform Authenticator passkeys. This occurs when the Windows ProtectionPolicy registry key is modified, causing the certificate associated with the passkey to become unavailable or mismatched. As a result, the Platform Authenticator reports the error “Passkey is invalid due to a missing certificate.” This article explains why this issue occurs, how to identify affected devices, and the steps required to restore passkey functionality.
Symptoms
Upon force resetting the Directory password(Active Directory) from the domain controller or using third party solutions that perform force password sometimes lead to the BI- platform authenticator reporting an error “This passkey is invalid due to a missing certificate”
Affected Platforms
Platform Authenticator running on Windows 10 and 11
Root Cause
Any Windows device(s) having the following registry key will be impacted by this issue
Registry location :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb
Key: ProtectionPolicy
Datatype: DWORD
Value: 1
Detailed Root Cause
The ProtectionPolicy was introduced in KB3000850 to address master encryption key creation failures. Its use was primarily for computers joined to read-only domains. Setting the ProtectionPolicy registry flag to 1 on a domain-joined computer will affect how the DPAPI master key is recovered from the domain controller after a domain-controller password forced reset. A side effect of setting this key today makes all DPAPI-protected data blobs (these include Passkeys, and VPN certificates and applications using certificates based authentication using DPAPI) on the file system unusable after a password reset on the domain controller.
Beyond Identity doesn’t explicitly use or depend on the ProtectionPolicy flag. The platform authenticator uses the Windows NCrypt system for key storage. The NCrypt system encrypts key blobs using the Windows DPAPI system, which has a dependency on the user’s password and how it is managed. In turn, this makes our key storage susceptible to issues that make the DPAPI master key unusable.
Having this flag set to 1 has caused many applications, including the platform authenticator, to behave in undesirable ways.
Impact
Users trying to access resources on windows devices leveraging Beyond identity Platform authenticator will not be able to authenticate successfully
Alternately to identify impacted Windows devices a monitor policy can be created in the Beyond Identity admin console by following the below steps:
Login to your Beyond Identity Admin Console (Beyond Identity Admin Console (byndid.com)) and navigate to policy
Edit the policy and create a new rule with a Add rule button
Choose For any Transaction as Authentication
Select add attribute under ‘Any device platform’ and choose windows
Add another attribute under windows called ‘Registry key value’ and put the below values
Registry Key Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb\ProtectionPolicy
Number Is
1
Save and publish the rules
Resolution
For any windows devices having this registry , please delete the key ProtectionPolicy. Alternatively the ProtectionPolicy can be changed to the value 0.
Registry location :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb
Key: ProtectionPolicy
Datatype: DWORD
Value: 0
After making the changes, the passkey will become operational and the platform authenticator will work as expected. Users will be able to authenticate to resources with Beyond Identity without any issues.
How to minimize the risk of losing passkeys due to a password reset?
Delete or set the ProtectionPolicy key to 0 on the client's Windows machine.
Don’t let the password expire.
Using third-party password reset tools can also cause the loss of passkeys, depending on their method for resetting a password.
References
DPAPI Secrets. Security analysis and data recovery in DPAPI
How to define policies – Beyond Identity