Description / Problem

Our organization has fully enforced phishing‑resistant authentication methods for all employees and administrative accounts, in line with Microsoft security best practices. These include passkeys and FIDO2 hardware security keys (for example, YubiKey).

However, we currently need to maintain Power BI on‑premises data gateway (February 2026 version) as an exception to these policies.

The reason is that the embedded web authentication engine used by the gateway does not support FIDO2 authentication. Because of this limitation, we are unable to enforce phishing‑resistant authentication methods for gateway sign‑in and administration.

Current Behavior

The Power BI on‑premises data gateway currently supports:

• Password‑based authentication, or
• Passwordless authentication using number matching

While number matching improves security, it does not meet the definition of phishing‑resistant authentication required by many enterprise security and compliance standards.

Impact

• Forces organizations to maintain authentication exceptions
• Creates a security gap in otherwise fully phishing‑resistant environments
• Prevents full alignment with Zero Trust and passwordless‑first strategies
• Affects enterprises with strict regulatory, compliance, or security mandates

Requested Enhancement

Please add FIDO2 authentication support (passkeys and hardware security keys) to the Power BI on‑premises data gateway in a future update.

This would allow organizations to:

• Fully enforce phishing‑resistant authentication across all Fabric and Power BI components
• Eliminate password‑based authentication for gateway administration
• Align the gateway with Microsoft’s broader identity and security roadmap