Ascent Identity & Access

Say goodbye to your password.

Ascent is moving to passwordless sign-in and passkeys — faster logins, nothing to remember, and protection against the phishing attacks that passwords can't stop. This guide walks you through it in two short stages. Most people finish in under 10 minutes.

Start — it takes ~10 min I just need passkeys
Intro video slot
Drop in your R2-hosted "Why passkeys?" clip (30–60s). Poster + MP4.
Your progress
0%
Stage 1 · Most people already have this

Turn on passwordless sign-in

This is the in-app switch that lets you approve sign-ins with a tap instead of typing a password. About 7 in 10 of you already have it on — if you can already sign in by approving a notification on your phone, you're set: skip straight to Stage 2. If not, here's how. Good news either way — setting up a phone passkey in Stage 2 turns this on for you automatically, so you won't have to circle back.

  1. On your phone, open the App Store (iPhone) or Google Play (Android).
  2. Search for Microsoft Authenticator (publisher: Microsoft Corporation) and install it.
  3. Open the app and accept the privacy prompts. Don't add an account yet — the next step does that.
Already use Authenticator for the 6-digit codes or "approve" prompts? Great — you can skip to Step 3.
Screenshot slot
App Store / Play Store listing for Microsoft Authenticator
  1. On a computer, go to your Security info page:
  1. Sign in with your Ascent email and password (and approve MFA if prompted).
  2. Select + Add sign-in methodMicrosoft AuthenticatorAdd.
  3. When the QR code appears, open Authenticator on your phone → +Work or school accountScan QR code, and scan it.
  4. Approve the test notification to confirm the link.
If you've never set up any sign-in method and can't get in, you'll need a one-time Temporary Access Pass from the Service Desk to complete this step.
Screenshot slot
Security info → Add method → QR code screen
  1. In Microsoft Authenticator, tap your Ascent account.
  2. Tap Set up phone sign-in (may read "Enable phone sign-in" / "Set up passwordless").
  3. Follow the prompts. You may be asked to verify with MFA and to set a device lock if you don't have one.
Test it: next time you sign in, choose "Other ways to sign in" → "Approve a request on my Authenticator app" and enter the number shown. No password needed.
Screenshot slot
Authenticator → account → "Set up phone sign-in"
Stage 2 · The strong stuff

Create a passkey

A passkey is a phishing-resistant credential locked to your device and unlocked by your face, fingerprint, or PIN. Ascent allows two kinds: a passkey in Microsoft Authenticator (your phone) and Windows Hello (your work PC). Pick the device you want to set up — you can do both.

Passkey in Microsoft Authenticator
You must create this passkey inside the Authenticator app on your iPhone. If your phone offers to "Save a passkey to iCloud Keychain," decline it — Ascent only accepts passkeys made in Authenticator, and the iCloud one will be rejected.
  1. Make sure you finished Stage 1 (Authenticator installed + your Ascent account added).
  2. Make sure your iPhone has a screen lock set up (Face ID, Touch ID, or a passcode).
  3. Turn Authenticator on as a passkey provider:
    iOS 18: Settings → General → AutoFill & Passwords
    iOS 17: Settings → Passwords → Password Options
    Turn on AutoFill Passwords and Passkeys, then enable Authenticator under "Autofill from".
  4. Open Authenticator → tap your Ascent accountCreate a passkey.
  5. Complete MFA when prompted, then follow the on-screen steps to finish.
  6. Done — you'll see Passkey listed under your account in Authenticator (and on your Security info page).
Screenshot slot
Authenticator → account → "Create a passkey" + iOS AutoFill toggle
Passkey in Microsoft Authenticator
Create this passkey inside the Authenticator app on your Android phone. If Google offers to save the passkey to Google Password Manager, decline it — Ascent only accepts passkeys made in Authenticator.
  1. Make sure you finished Stage 1 (Authenticator installed + Ascent account added).
  2. Make sure your phone has a screen lock (fingerprint, face, or PIN).
  3. Set Authenticator as a passkey provider:
    Settings → Passwords, passkeys & accounts → choose Authenticator as a provider. (Exact path varies by phone maker.)
  4. Open Authenticator → tap your Ascent accountCreate a passkey.
  5. Complete MFA when prompted, then follow the on-screen steps.
  6. Done — Passkey now appears under your account and on your Security info page.
Screenshot slot
Authenticator → account → "Create a passkey" (Android)
Windows Hello (your work PC)
On most managed Ascent laptops, Windows Hello (a PIN + fingerprint or face) is already set up. If so, jump to step 2 and register it as a passkey.
  1. Open SettingsAccountsSign-in options.
  2. Set up a PIN (Windows Hello), and add Fingerprint or Facial recognition if your device supports it.
  3. If Windows prompts you to set this up at sign-in, you can just follow that prompt instead.
Screenshot slot
Settings → Accounts → Sign-in options
  1. On your PC, open your Security info page (link at the top of Stage 1).
  2. Select + Add sign-in methodPasskey.
  3. When asked where to save the passkey, choose This device / Windows Hello.
  4. Verify with your PIN or biometric to finish.
Screenshot slot
Security info → Add → Passkey → "This device / Windows Hello"
Your phone's passkey, used from the Mac
Macs don't use Windows Hello, and Ascent doesn't accept iCloud Keychain passkeys. So you'll make your passkey on your phone in Authenticator, then use it to sign in on your Mac.

Follow the iPhone or Android steps above to create a passkey in Microsoft Authenticator. You only do this once.

  1. Keep Bluetooth on and your phone nearby.
  2. At the Mac sign-in screen, choose Sign in with a passkey (or "Other ways to sign in" → passkey).
  3. Pick the option to use a phone. A prompt appears on your phone.
  4. Approve it with your face / fingerprint / PIN. You're in.
If you use Chrome on the Mac and it asks to allow access to your security device, choose Allow for login.microsoft.com.
Screenshot slot
Mac cross-device sign-in → phone approval
Stage 3 · The part that actually stops phishing

Now use it the right way

Creating the passkey is only half the job. You get true phishing-resistant sign-in only when you choose your passkey at login — not when you type a password and approve a push. Here's the one move to remember.

The one move

At the Microsoft sign-in screen, choose Sign-in options (or Other ways to sign in) → Face, fingerprint, PIN, or security key.

  1. Open the app or site you're signing in to (for example, office.com), or start from the Windows lock screen.
  2. If you aren't offered your passkey automatically, select Sign-in options — or, after typing your name, Other ways to sign in.
  3. Choose Face, fingerprint, PIN, or security key.
  4. Using Windows Hello (your PC): verify with your face, fingerprint, or PIN. You're in.
  5. Using your phone's passkey: pick iPhone, iPad, or Android device, scan the QR code with your phone's camera, then approve with your face / fingerprint / PIN. Keep Bluetooth on and the phone nearby.
Once you've used the passkey once, Microsoft offers it first next time — so it gets faster, not slower, than the old way.
Screenshot slot
Sign-in screen → "Sign-in options" / "Face, fingerprint, PIN, or security key"

A password plus a "tap to approve" push can still be stolen — a convincing fake login page can capture your password and trick you into approving the attacker's sign-in. A passkey is cryptographically tied to the real Microsoft sign-in address. Present it to a lookalike site and it simply won't work, because the site isn't who it claims to be. There's no code to read out, no prompt to approve by mistake, and nothing for an attacker to reuse. That binding to the genuine site is what "phishing-resistant" means — and it's why choosing the passkey at sign-in matters, not just having one.

Stuck on a step?

The Service Desk can issue a Temporary Access Pass, reset a method, or walk you through it live.

Contact the Service Desk