Passwords are the weakest link in most authentication chains. They get phished, reused, stolen in data breaches, and brute-forced. Passwordless authentication eliminates the password entirely - replacing it with something you have (a hardware key or device) and something you are (biometrics or a PIN tied to that device).
Microsoft supports three main passwordless methods: Windows Hello for Business, FIDO2 security keys, and the Microsoft Authenticator app. This guide covers how to deploy Windows Hello for Business and FIDO2 keys through Intune and Entra ID.
Why Passwordless?
🔍 OverviewTraditional MFA (password + authenticator code) still leaves you vulnerable to real-time phishing attacks where an attacker proxies both the password and the MFA code simultaneously. Passwordless methods using cryptographic keys are phishing-resistant by design - the private key never leaves the device, so there is nothing to steal or proxy.
- Windows Hello for Business: replaces the password at Windows sign-in with a biometric (face/fingerprint) or PIN, backed by a device-bound cryptographic key in the TPM
- FIDO2 security keys: physical USB/NFC keys (YubiKey, etc.) that store a cryptographic key. Touch the key to authenticate - works for both Windows sign-in and web apps
- Microsoft Authenticator: phone-based passwordless using biometrics on the phone, backed by a key pair registered to your Entra ID account
Part 1: Windows Hello for Business
🔐 Windows HelloWindows Hello for Business (WHfB) is the primary passwordless method for domain-joined Windows devices. Once enrolled, users sign into Windows using their face, fingerprint, or a device-specific PIN - with the password locked away and never used for authentication.
Enable via Intune Policy
User Experience
After the policy applies, users are prompted to set up Windows Hello during their next sign-in. They verify their identity with their existing MFA method, then enrol their biometric or PIN. From that point on, they sign into Windows with their face, fingerprint, or PIN - no password entered at the Windows lock screen.
Part 2: FIDO2 Security Keys
🔑 FIDO2FIDO2 security keys (YubiKey, Feitian, etc.) are physical hardware authenticators. They are the gold standard for phishing-resistant MFA - the private key is stored on the key and never leaves it. They work for Windows sign-in, web browsers, and any app that supports WebAuthn.
Enable FIDO2 in Entra ID
Enable FIDO2 Sign-in on Windows
To allow users to sign into Windows devices with a FIDO2 key, enable this setting in an Intune device configuration profile:
User Enrolment
Users register their FIDO2 key at mysignins.microsoft.com → Security info → Add sign-in method → Security key. They plug in the key, touch it to confirm, set a PIN for the key, and it's registered.
Enforce Passwordless with Conditional Access
🔒 EnforcementOnce users are enrolled, you can enforce passwordless-only sign-in using a Conditional Access policy with Authentication Strength:
The built-in Phishing-resistant MFA authentication strength covers Windows Hello for Business, FIDO2 keys, and certificate-based auth - all the hardware-bound methods that cannot be phished.