This article describes the impact of changing or resetting local passwords when using the Beyond Identity authenticator.
Changing the local password is not the same as Resetting the local password. These terms are often used interchangeably but they are different processes and have different impacts on the Beyond Identity passkeys. Review the following information that can impact the Beyond Identity passkey:
-
Changing the local password requires that the user knows and can provide the existing password. In this case, the Beyond Identity passkeys are not affected. Recommended method for updating a password.
- To set the password expiration policy in Windows, see https://learn.microsoft.com/en-us/microsoft-365/admin/manage/set-password-expiration-policy?view=o365-worldwide
-
Resetting the local password means that the user forgot their password and it was reset by iCloud or an admin. This breaks the Beyond Identity passkeys.
- Some customers use a third-party solution to rotate passwords on a schedule. At times, these solutions may fail and result in the password getting out of sync as if it has been reset and will break the Beyond Identity passkeys.
- For Windows customers only, review the following article to remove a Windows setting that often causes this issue: Windows Platform Authenticator shows error ‘Passkey is invalid due to a missing certificate’ post forced password reset.
- On Windows, passkeys are created in the Trusted Platform Module (TPM), which is further encrypted with DPAPI. The DPAPI keys are spread across the domain so mismanagement of domain servers can break the Beyond Identity passkeys.
- For Windows customers only, review the following article to remove a Windows setting that often causes this issue: Windows Platform Authenticator shows error ‘Passkey is invalid due to a missing certificate’ post forced password reset.
If the passkey is broken, users will see a "This passkey is invalid due to a missing certificate" error similar to the following example.
Recommendation
When possible, download the Beyond Identity authenticator to another device, such as a mobile phone, and migrate your passkey to that device as a backup. This will make it easy to recover your passkey if the password is reset.
Step 1: Download the authenticator on the other device:
Step 2: Migrate your passkey to the other device. For instructions, see:
- How do I migrate my existing passkey to an iOS device?
- How do I migrate my passkey to an Android device?
- How do I migrate my passkey to a Windows device?
Resolve a missing certificate error
If you ever receive a "This passkey is invalid due to a missing certificate" error and have migrated your passkey to another device as outlined in "Recommendation" above, you can recover the passkey using the following steps.
Step 1: Remove the affected passkey from your device.
https://support.beyondidentity.com/hc/en-us/articles/14608965625495
Step 2: Migrate your passkey from another device.
Migrate your passkey from the other device. For instructions, see:
- How do I migrate my existing passkey to an iOS device?
- How do I migrate my passkey to an Android device?
- How do I migrate my passkey to a Windows device?
If you don’t have a passkey on another device, contact your IT administrator to send you a new code or re-send an invitation.
Comments
0 comments
Please sign in to leave a comment.