Certificate-Based vs. Enterprise Passkey: Feature Comparison
HYPR Authenticate supports two distinct approaches to passwordless workstation authentication: certificate-based authentication and Enterprise Passkey. Both deliver phishing-resistant, passwordless login through the HYPR Mobile App, but they differ significantly in credential infrastructure, supported Windows features, and deployment requirements.
This article documents the differences between the two approaches across workstation features, Remote Desktop Protocol (RDP) access, and User Account Control (UAC) elevation.
Authentication Architecture
Certificate-Based Authentication
Certificate-based authentication issues each user an X.509 certificate from an Active Directory Certificate Services (ADCS) Certificate Authority. The HYPR Passwordless client acts as a virtual smart card credential provider. During registration, the workstation requests a certificate using a configured template (hyprwin for Windows, hyprmac for macOS). That certificate is encrypted and synced to the HYPR Mobile App via ECDH key exchange.
At login, the mobile app decrypts and returns the certificate to the workstation, which presents it to Windows via the smart card credential provider. Windows validates it through Kerberos and Active Directory. The HYPR credential provider is loaded across the full Windows credential stack — login screens, lock screens, UAC prompts, and Remote Desktop sessions.
Enterprise Passkey
Enterprise Passkey issues each user a FIDO2 passkey credential registered directly in Microsoft Entra ID. The HYPR Passwordless client acts as a virtual FIDO2 security key. During registration, the workstation sends a credential request to HYPR Control Center, which proxies it to Entra ID through the Microsoft FIDO2 Provisioning API. The passkey and private key are then encrypted and synced to the HYPR Mobile App using the same ECDH mechanism as certificates.
At login, the mobile app returns the passkey to the workstation, which presents it to Windows via the FIDO2 credential provider. Windows validates the passkey through Entra ID. Because the FIDO2 credential provider is not loaded universally across the Windows credential stack, some contexts — specifically UAC prompts — are not supported.
The two approaches are intentionally designed in parallel. Credential packaging (PKCS12), ECDH key exchange, offline PIN generation, and audit events work identically. The primary difference is the credential type (X.509 vs. passkey) and the authority that issues it (ADCS vs. Entra ID).
Infrastructure Requirements
| Component | Certificate-Based | Enterprise Passkey |
|---|---|---|
| Active Directory | Required | Not required |
| Active Directory Certificate Services (ADCS) | Required | Not required |
| Certificate templates | Required (hyprwin / hyprmac) | Not required |
| Microsoft Entra ID | Not required | Required |
| Entra FIDO2 Provisioning API | Not required | Required |
Platform Support
| Platform | Certificate-Based | Enterprise Passkey |
|---|---|---|
| Windows AD-joined workstations | Supported | Not supported |
| Windows hybrid-joined workstations | Supported | Supported |
| Windows Entra-joined workstations | Not supported | Supported |
| macOS | Supported | Not supported |
Certificate-based deployments require a functioning PKI: certificate template configuration, Domain Controller CA publishing, and CRL availability. Enterprise Passkey eliminates these PKI dependencies but requires Entra ID and the AZURE_PROVISION_API feature flag on the workstation RP application.
Workstation Authentication Flows
Registration and Pairing
From the user's perspective, pairing looks the same under both approaches: open the HYPR Passwordless client, scan the QR code with the HYPR Mobile App, and authenticate on mobile.
In the background:
- Certificate-based: The workstation enrolls an X.509 certificate from ADCS and syncs it to the mobile app.
- Enterprise Passkey: The workstation provisions a FIDO2 passkey to Entra ID via the Provisioning API and syncs it to the mobile app. For hybrid-joined workstations, this also requires Entra Kerberos configuration and AES256_HMAC_SHA1 support on Domain Controllers.
Enterprise Passkey also supports registration from the web (via Device Manager or Magic Links) and from the mobile app — in addition to the HYPR Passwordless client. Certificate-based registration requires the workstation client.
Login and Unlock
Standard login is functionally identical for users under both approaches:
- Ctrl+Alt+Del to reach the credential selection screen.
- Select the HYPR Mobile App tile.
- Authenticate on mobile (biometric or PIN).
- The workstation logs in or unlocks.
Tap to Login — tapping the computer icon in the HYPR Mobile App to push authentication to the workstation — is supported under both approaches.
Certificate Renewal
Certificate-based authentication requires periodic renewal as X.509 certificates expire. HYPR Passwordless client handles renewal automatically: a new certificate is generated before the current one expires, delivered to the mobile app, and validated with a login before the old one is retired.
Enterprise Passkey credentials do not require equivalent periodic renewal.
Single Registration
Both approaches support Single Registration, which allows one pairing action to register a user for both workstation and web authentication.
- Workstation-to-Web: After a workstation pairing, HYPR Control Center creates a corresponding web registration automatically.
- Web-to-Workstation: After a web-initiated QR login on a workstation (with the
WINDOWS_WEB_ENROLLMENTfeature flag enabled), HYPR Passwordless client automatically completes a local workstation pairing.
Roaming and Multi-Workstation Access
Both approaches support roaming — authenticating to workstations where the user's mobile device is not directly paired — via a QR code on the login screen. The Roaming Users toggle in Control Center Workstation Settings controls this feature for both approaches.
When enabled, a QR code appears on the login/lock screen. Scanning it with the HYPR Mobile App logs the user in to any domain or Entra-joined workstation, without a prior local pairing on that machine.
Roaming Users (QR-based cross-workstation login) and the Non-Persistent VDI installation mode are separate options with different purposes. A workstation does not need to be part of a VDI environment to use roaming. See Creating a Golden Image for VDI.
Remote Desktop Protocol (RDP)
RDP access is supported under both approaches, but through different mechanisms with different requirements.
Certificate-Based Authentication
Certificate-based authentication forwards the user's X.509 certificate into the RDP session as a smart card credential. The HYPR Passwordless client does not need to be installed on the remote machine.
Requirements on the target (remote) machine:
- The
Remote Sessions Enabledregistry key must be set to1on the target HYPR Passwordless installation. - Network Level Authentication (NLA) must be disabled via policy.
- CredSSP support must be disabled (
enablecredsspsupport:i:0in the RDP file, or via the Advanced tab of the Remote Desktop Connection app). - Smart cards or Windows Hello for Business must be checked in the Local Resources tab of the RDP client.
Available flows:
- Device-initiated (Tap to Login): Tap the computer icon in the HYPR Mobile App. The authentication request is pushed to the workstation; the RDP session authenticates automatically.
- Scan QR to Login: At the RDP credential screen, select More choices → Scan QR to Login, and scan the QR code with the HYPR Mobile App. Requires Roaming Users enabled in Control Center.
For step-by-step instructions, see Accessing a Remote Desktop.
Enterprise Passkey
Because FIDO2 passkey credentials are device-bound and cannot be forwarded as smart card certificates, Enterprise Passkey uses a web-based FIDO2 sign-in flow inside the RDP session.
Requirements:
- Enable Web login in the RDP client (Advanced tab), or set
authentication level:i:0in the RDP connection file. - Web-based sign-in must be permitted on the remote machine.
- NLA does not need to be disabled.
When the RDP connection opens, a browser-based Entra sign-in page appears. The user completes FIDO2 authentication through the HYPR Mobile App as the passkey provider.
Device-initiated (Tap to Login) is not available for RDP under Enterprise Passkey.
RDP Summary
| Certificate-Based | Enterprise Passkey | |
|---|---|---|
| Mechanism | Smart card certificate forwarding | Web-based FIDO2 sign-in |
| NLA must be disabled | Yes | No |
| CredSSP must be disabled | Yes | No |
| HYPR Passwordless on remote machine | Not required | Not required |
| Device-initiated (Tap to Login) | Supported | Not supported |
| Scan QR to Login | Supported (Roaming Users required) | Not applicable |
User Account Control (UAC) and Run As
UAC is the Windows mechanism for privilege escalation — allowing standard users to run operations with administrator-level permissions. The two approaches have fundamentally different behavior here.
Certificate-Based Authentication
The HYPR smart card credential provider is loaded in UAC elevation prompts (CredentialBrokerUI.exe) and in Run as administrator dialogs. This enables fully passwordless privilege escalation.
Localized Run As (Helpdesk): An administrator and a standard user each register their accounts with separate mobile devices on the same workstation.
- The standard user right-clicks an application and selects Run as administrator.
- The HYPR Mobile App option appears in the UAC prompt.
- The administrator authenticates on their paired mobile device.
- The application opens with administrator permissions — no password entered.
Single-Device Privilege Escalation: The administrator registers their admin account on the same mobile device as the standard user.
- Shift+right-click the HYPR Passwordless client icon, select Run as administrator, and enter local admin credentials to open HYPR Passwordless as the admin.
- Register the admin account with the same HYPR Mobile App. The app now shows both accounts.
- When the standard user selects Run as administrator on any application, they choose the HYPR Mobile App option and authenticate against the admin account.
For step-by-step instructions, see Allowing Passwordless Run-As.
Enterprise Passkey
UAC elevation is not supported with Enterprise Passkey. Windows does not load the FIDO2 credential provider in CredentialBrokerUI.exe, so the HYPR passkey tile does not appear in UAC prompts or Run as administrator dialogs.
Users on Enterprise Passkey deployments must use an alternative method for privilege escalation — such as a Windows Hello PIN or, where organizational policy permits, a password.
Microsoft is developing a new elevation mechanism for Windows 11 called Administrator Protection, currently in Windows Insider Preview, that is intended to support passkey-based UAC elevation. Testing against Canary build 27881 shows that the feature does not load third-party credential providers and is limited to PIN with Entra-joined accounts. HYPR will evaluate support as this feature matures. This is a Windows platform limitation, not a HYPR product limitation.
UAC Summary
| Certificate-Based | Enterprise Passkey | |
|---|---|---|
| UAC elevation | Supported | Not supported (Windows limitation) |
| Helpdesk / Localized Run As | Supported | Not supported |
| Single-device privilege escalation | Supported | Not supported |
| Credential provider in UAC prompt | Smart card (HYPR) loaded | FIDO2 provider not loaded |
| Elevation fallback | Not required | Windows Hello PIN or password |
Offline Authentication
Both approaches support offline authentication via an encrypted offline PIN, using the same underlying mechanism: the credential (certificate or passkey) is packaged in a PKCS12-compatible blob, encrypted with ECDH keys, and stored locally along with a set of pre-generated PINs.
When the mobile device or network is unavailable:
- The user opens the HYPR Mobile App and generates an offline PIN.
- The PIN is entered at the Windows login or lock screen.
- Windows validates the PIN against the locally stored encrypted credential.
After network access is restored, the next successful online authentication replenishes the PIN supply.
Recovery PINs — administrator-issued codes for users who have lost their mobile device — are also generated and managed identically under both approaches.
Desktop SSO (HYPRspeed)
HYPRspeed (desktop Single Sign-On to web applications after workstation unlock) is supported under both approaches when the workstation is unlocked using the HYPR Mobile App.
- Certificate-based: After a mobile-app-based workstation unlock, navigating to a corporate SSO portal and entering the username triggers HYPRspeed.
- Enterprise Passkey: After a passkey-based workstation unlock using the HYPR Mobile App, HYPRspeed works the same way as with certificate-based authentication — navigating to a corporate SSO portal and entering the username triggers the SSO flow.
HYPRspeed does not activate when the workstation is unlocked using a physical security key, smart card, Windows Hello, or any method other than the HYPR Mobile App.
Virtual Desktop Infrastructure (VDI)
Both approaches support non-persistent VDI golden image deployments using the same installation parameter.
Install HYPR Passwordless with HYPRNONPERSISTENTVDI=1. This defers machine-specific cryptographic setup (machine ID, ECDH keys) until after the golden image is deployed, ensuring each provisioned VM receives its own unique identity rather than sharing one copied from the image. After deployment, each VM self-configures on first boot.
This installation mode is separate from the Roaming Users feature. Whether roaming is enabled or disabled on the golden image determines whether the QR code login option appears on deployed VMs, but the two settings serve different purposes.
Physical Security Keys
Both approaches support physical security keys as an alternative authenticator to the HYPR Mobile App.
- Certificate-based: Physical smart cards (for example, HID Crescendo) can be paired with the HYPR Passwordless client. The smart card holds the X.509 certificate and is used at login in place of the mobile app.
- Enterprise Passkey: Physical FIDO2 security keys — including YubiKey 5 series, YubiKey C Bio, Feitian keys, IDEMIA smart cards, and HID Crescendo 4000 smart cards — can be provisioned directly to Entra ID through HYPR Control Center. Provisioning supports PIN management and, for biometric keys, fingerprint enrollment.
Feature Comparison Summary
| Feature | Certificate-Based | Enterprise Passkey |
|---|---|---|
| Credential type | X.509 certificate | FIDO2 passkey |
| Credential authority | ADCS / PKI | Microsoft Entra ID |
| Windows auth protocol | Kerberos | FIDO2 |
| Windows AD-joined | Supported | Not supported |
| Windows hybrid-joined | Supported | Supported |
| Windows Entra-joined | Not supported | Supported |
| macOS support | Yes | No |
| PKI infrastructure required | Yes | No |
| Entra ID required | No | Yes |
| Registration from workstation client | Yes | Yes |
| Registration from web or mobile | No | Yes |
| Certificate renewal | Automatic | Not applicable |
| Tap to Login | Supported | Supported |
| Roaming (QR cross-workstation login) | Supported | Supported |
| Single Registration (WS↔Web) | Supported | Supported |
| RDP — mechanism | Smart card certificate forwarding | Web-based FIDO2 sign-in |
| RDP — NLA must be disabled | Yes | No |
| RDP — device-initiated flow | Supported | Not supported |
| RDP — Scan QR to Login | Supported (Roaming Users required) | Not applicable |
| UAC / Run As elevation | Supported | Not supported (Windows limitation) |
| Helpdesk / Localized Run As | Supported | Not supported |
| Offline PIN | Supported | Supported |
| Recovery PIN | Supported | Supported |
| Desktop SSO (HYPRspeed) | Supported | Supported |
| Non-persistent VDI | Supported | Supported |
| Physical security keys | Smart card (X.509) | FIDO2 hardware keys |