Configure passwordless sign-in on Surface Hub

When you sign in to Surface Hub, you’ll see all your meetings and all your recent Microsoft 365 files. You can open your presentation, document, whiteboard, or workbook without having to project from a PC or send the file.

Passwordless sign-in simplifies access to your apps, meetings, and files. Surface Hub supports signing in using the Microsoft Authenticator app and FIDO2 security keys provided by your organization.

Organization prerequisites

To let people in your organization sign in to Surface Hub with their phones and other devices instead of a password, you’ll need to make sure that your organization meets these prerequisites:

  • Your organization must be a hybrid or cloud-only organization, backed by Microsoft Entra ID. For more information, see What is Microsoft Entra ID?

  • Make sure you have at minimum a Microsoft 365 E3 subscription.

  • Configure Multi-Factor Authentication. Make sure Notification through mobile app is selected.

  • Enable content hosting on Microsoft Entra services such as Office, SharePoint, etc.

  • Surface Hub must be running Windows 10, version 1703 or later.

  • Surface Hub is set up with either a local or domain-joined account.

To learn more see:

Configure sign-in using Microsoft Authenticator app

Starting with the Windows 10 Team 2020 Update, you can sign in with your preferred email alias in Microsoft Entra ID or your User Principal Name (UPN) to sign in with Microsoft Authenticator. For example:

  • Preferred alias format:
  • UPN format:

The Microsoft Authenticator app helps you sign-in to Surface Hub using your mobile device. To configure sign-in using Microsoft Authenticator:

  1. On your mobile device, download the Microsoft Authenticator app.
  2. On your PC, setup the Microsoft Authenticator app from the Security info page for your work or school account.
  3. From the Microsoft Authenticator app on your mobile device, turn on and use phone sign-in for your work or school account.

Configure sign-in using FIDO2 security keys


Passwordless sign-in on Surface Hub using FIDO2 security keys requires the Windows 10 Team 2020 Update.


Surface Hub only supports USB security keys.

You can also sign into Surface Hub using a FIDO2 security key provided by your organization.

To configure sign-in using a security key

  1. On your PC, go to your page and sign in to your work or school account.
  2. Select Security info > Add sign-in method.
  3. Select Security key from the drop-down list, and then select Add.
  4. On the Security key page, choose USB device.
  5. Have your security key ready and select Next. In the dialog box that appears, follow the instructions to insert the security key, create or enter a PIN, and perform the required gesture (either biometric or touch).
  6. On the Security key page, give your security key a name, then select Next. Select Done to complete the process.

Sign in to Surface Hub

Once you've configured passwordless sign-in, you can use it to make it easier to access your apps, meetings, and files on the Surface Hub.

Sign in during a meeting

  1. After you’ve set up a meeting, go to the Surface Hub and select Sign in to see your meetings and files.
  2. You’ll see a list of the people invited to the meeting. Select yourself (or the person who wants to sign in – make sure this person has gone through the steps to set up their device before your meeting), and then select Continue. You'll see a code on the Surface Hub.
  3. To approve the sign-in, open the Authenticator app, enter the four-digit code that’s displayed on the Surface Hub, and select Approve. You will then be asked to enter the PIN or use your fingerprint to complete the sign in. You can now access all files through the OneDrive app.

Sign in to apps

  • Quickly sign in to Microsoft apps like Whiteboard, PowerPoint, Word, Excel, OneDrive, and Power BI.
  • Once you've signed into Surface Hub, you can use other apps without having to sign in again until you select End session. Selecting End session deletes your credentials, files, and personal data from the device. For more information, see End session.

Learn more