Using FIDO2 authenticators with a new tenant URL

FIDO2 authenticators are associated with the portal URL. If your company gets a new portal URL, because you configured a tenant URL or for another reason, then users with FIDO2 authenticators will need to log in with the new URL and re-activate their authenticators. Users who do not activate their authenticators on the new URL will not see their authenticator as an authentication option. For example, if you are changing the URL from "" to "", then users who authenticated to "" using their FIDO2 authenticator must log into the new URL -- -- and activate their authenticator.

Verify the following to ensure a smooth transition for your users:

  1. You have configured an alternative authentication mechanism for FIDO2 users so they can log in with the new URL and activate their FIDO2 authenticator(s). For example, if you have a role containing all your users with FIDO2 authenticator(s), then make sure the authentication profile associated with that role has email address or security questions enabled. See Authentication mechanisms for information about each authentication mechanism.
  2. You have confirmed with the relevant users that they can log in to Privileged Access Service using the alternative authentication mechanisms and they have re-activated the FIDO2 authenticator(s). Instructions for users to activate their FIDO2 authenticator(s) are here: Using FIDO2 Authenticators.