Ask Learn Preview
Please sign in to use this experience.
Sign inThis browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Passwords are a primary attack vector. Bad actors use social engineering, phishing, and spray attacks to compromise passwords. A passwordless authentication strategy mitigates the risk of these attacks.
Microsoft offers the following three passwordless authentication options that integrate with Microsoft Entra ID:
The Microsoft Entra admin center has a passwordless methods wizard that will help you to select the appropriate method for each of your audiences.
Microsoft's passwordless authentication methods enable many scenarios. Consider your organizational needs, prerequisites, and the capabilities of each authentication method to select your passwordless authentication strategy.
The following table lists the passwordless authentication methods by device types.
Device types | Passwordless authentication method |
---|---|
Dedicated non-windows devices | Microsoft Authenticator Security keys |
Dedicated Windows 10 computers (version 1703 and later) | Windows Hello for Business Security keys |
Dedicated Windows 10 computers (before version 1703) | Windows Hello for Business Microsoft Authenticator app |
Shared devices: tablets, and mobile devices | Microsoft Authenticator One-time password sign-in |
Kiosks (Legacy) | Microsoft Authenticator |
Kiosks and shared computers (Windows 10) | Security keys Microsoft Authenticator app |
Ensure you meet the prerequisites before starting your passwordless deployment.
Here are the least privileged roles required for this deployment
Microsoft Entra role | Description |
---|---|
User Administrator or Global Administrator | To implement combined registration experience. |
Authentication Administrator | To implement and manage authentication methods. |
User | To configure Authenticator app on device, or to enroll security key device for web or Windows 10 sign-in. |
As part of this deployment plan, we recommend that passwordless authentication be enabled for all privileged accounts.
The prerequisites are determined by your selected passwordless authentication methods.
Prerequisite | Microsoft Authenticator | FIDO2 Security Keys |
---|---|---|
Combined registration for Microsoft Entra multifactor authentication and self-service password reset (SSPR) is enabled | √ | √ |
Users can perform Microsoft Entra multifactor authentication | √ | √ |
Users have registered for Microsoft Entra multifactor authentication and SSPR | √ | √ |
Users have registered their mobile devices to Microsoft Entra ID | √ | |
Windows 10 version 1809 or higher using a supported browser like Microsoft Edge or Mozilla Firefox (version 67 or higher). Microsoft recommends version 1903 or higher for native support. | √ | |
Compatible security keys. Ensure that you're using a Microsoft-tested and verified FIDO2 security key, or other compatible FIDO2 security key. | √ |
The prerequisites and deployment paths for Windows Hello for Business are highly dependent on whether you're deploying in an on-premises, hybrid, or cloud-only configuration. It's also dependent on your device join strategy.
Select Windows Hello for Business and complete the wizard to determine the prerequisites and deployment appropriate for your organization.
The wizard will use your inputs to craft a step-by-step plan for you to follow.
When technology projects fail, it's typically because of mismatched expectations on impact, outcomes, and responsibilities. To avoid these pitfalls, ensure that you're engaging the right stakeholders and that stakeholder roles in the project are well understood.
When you deploy passwordless authentication, you should first enable one or more pilot groups. You can create groups specifically for this purpose. Add the users who will participate in the pilot to the groups. Then, enable new passwordless authentication methods for the selected groups.
Your communications to end users should include the following information:
Microsoft provides communication templates for end users. Download the authentication rollout material to help draft your communications. The rollout materials include customizable posters and email templates that you can use to inform your users about upcoming passwordless authentication options in your organization.
Users register their passwordless method as a part of the combined security information workflow at https://aka.ms/mysecurityinfo. Microsoft Entra logs registration of security keys and the Authenticator app, and any other changes to the authentication methods.
For the first-time user who doesn't have a password, admins can provide a Temporary Access Passcode to register their security information in https://aka.ms/mysecurityinfo . This is a time-limited passcode and satisfies strong authentication requirements. Temporary Access Pass is a per-user process.
This method can also be used for easy recovery when the user has lost or forgotten their authentication factor such as security key or the Authenticator app but needs to sign in to register a new strong authentication method.
Note
If you can't use the security key or the Authenticator app for some scenarios, multifactor authentication with a username and password along with another registered method can be used as a fallback option.
Microsoft Authenticator turns any iOS or Android phone into a strong, passwordless credential. It's a free download from Google Play or the Apple App Store. Have users download Microsoft Authenticator and follow the directions to enable phone sign-in.
Active Directory Federation Services (AD FS) Integration - When a user enables the Authenticator passwordless credential, authentication for that user defaults to sending a notification for approval. Users in a hybrid tenant are prevented from being directed to AD FS for sign-in unless they select "Use your password instead." This process also bypasses any on-premises Conditional Access policies, and pass-through authentication (PTA) flows. However, if a login_hint is specified, the user is forwarded to AD FS and bypasses the option to use the passwordless credential. For non-Microsoft 365 applications which use AD FS for authentication, Microsoft Entra Conditional Access policies will not be applied and you will need to set up access control policies within AD FS.
MFA server - End users enabled for multifactor authentication through an organization's on-premises MFA server can create and use a single passwordless phone sign-in credential. If the user attempts to upgrade multiple installations (5 or more) of the Authenticator app with the credential, this change may result in an error.
Device registration - To use the Authenticator app for passwordless authentication, the device must be registered in the Microsoft Entra tenant and can't be a shared device. A device can only be registered in a single tenant. This limit means that only one work or school account is supported for phone sign-in using the Authenticator app.
Follow the steps in the article, Enable passwordless sign-in with Microsoft Authenticator to enable the Authenticator app as a passwordless authentication method in your organization.
The following are sample test cases for passwordless authentication with the Authenticator app:
Scenario | Expected results |
---|---|
User can register the Authenticator app. | User can register app from https://aka.ms/mysecurityinfo. |
User can enable phone sign-in | Phone sign-in configured for work account. |
User can access an app with phone sign-in. | User goes through phone sign-in flow and reaches application. |
Test rolling back phone sign-in registration by turning off passwordless sign-in in the Authenticator app. Do this within the Authentication methods screen in the Microsoft Entra admin center | Previously enabled users unable to use passwordless sign-in from the Authenticator app. |
Removing phone sign-in from the Authenticator app | Work account no longer available on the Authenticator app. |
Scenario | Solution |
---|---|
User cannot perform combined registration. | Ensure combined registration is enabled. |
User cannot enable phone sign-in authenticator app. | Ensure user is in scope for deployment. |
User is NOT in scope for passwordless authentication, but is presented with passwordless sign-in option, which they cannot complete. | Occurs when user has enabled phone sign in in the application prior to the policy being created. To enable sign in, add the user to a group of users enabled for passwordless sign-in. To block sign in: have the user remove their credential from that application. |
Enable compatible security keys. Here is a list of FIDO2 security key providers that provide keys known to be compatible with the passwordless experience.
Prepare for and plan the key lifecycle.
Key distribution- Plan how to provision keys to your organization. You may have a centralized provisioning process or allow end users to purchase FIDO 2.0-compatible keys.
Key activation - End users must self-activate the security key. End users register their security keys and enable the second factor (PIN or biometric) at first use. For first-time users, they can use TAP to register their security information.
Disabling a key - If an administrator wishes to remove a FIDO2 key associated with a User Account, they can do so by deleting the key from the user's authentication method as shown below. For more information, see Disable a key
Issue a new key: User can register the new FIDO2 key
There are three types of passwordless sign-in deployments available with security keys:
Microsoft Entra web apps on a supported browser
Microsoft Entra joined Windows 10 devices
Microsoft Entra hybrid joined Windows 10 devices
Enabling Windows 10 sign-in using FIDO2 security keys requires you to enable the credential provider functionality in Windows 10. Choose one of the following:
Enable credential provider with Microsoft Intune
Enable credential provider with a provisioning package
If Microsoft Intune deployment isn't possible, administrators must deploy a package on each machine to enable the credential provider functionality. The package installation can be carried out by one of the following options:
Enable credential provider with Group Policy
When you deploy the security key, you can optionally restrict the use of FIDO2 keys only to specific manufacturers that have been approved by your organization. Restricting keys requires the Authenticator Attestation GUID (AAGUID).
Follow the steps in the article Enable passwordless security key sign-in to enable FIDO2 security key as a passwordless authentication method in your organization.
Here are the sample test cases for passwordless authentication with security keys
Scenario (Windows build) | Expected results |
---|---|
The user can register FIDO2 device (1809) | User can register FIDO2 device using at Settings > Accounts > sign in options > Security Key |
The user can reset FIDO2 device (1809) | User can reset FIDO2 device using manufacturer software |
The user can sign in with FIDO2 device (1809) | User can select Security Key from the sign-in window, and successfully sign in. |
The user can register FIDO2 device (1903) | User can register FIDO2 device at Settings > Accounts > sign in options > Security Key |
The user can reset FIDO2 device (1903) | User can reset FIDO2 device at Settings > Accounts > sign in options > Security Key |
The user can sign in with FIDO2 device (1903) | User can select Security Key from the sign-in window, and successfully sign in. |
Scenario | Expected results |
---|---|
The user can register FIDO2 device at aka.ms/mysecurityinfo using Microsoft Edge | Registration should succeed |
The user can register FIDO2 device at aka.ms/mysecurityinfo using Firefox | Registration should succeed |
The user can sign in to OneDrive online using FIDO2 device using Microsoft Edge | Sign-in should succeed |
The user can sign in to OneDrive online using FIDO2 device using Firefox | Sign-in should succeed |
Test rolling back FIDO2 device registration by turning off FIDO2 Security Keys within the Authentication method window in the Microsoft Entra admin center | Users will: be prompted to sign in using their security key successfully sign in and see an error: "Your company policy requires that you use a different method to sign in". be able to select a different method and successfully sign in. Close the window and sign in again to verify they do not see the same error message. |
Scenario | Solution |
---|---|
User can't perform combined registration. | Ensure combined registration is enabled. |
User can't add a security key in their security settings. | Ensure that security keys are enabled. |
User can't add security key in Windows 10 sign-in options. | Ensure that security keys for Windows sign in are enabled |
Error message: We detected that this browser or OS doesn't support FIDO2 security keys. | Passwordless FIDO2 security devices can only be registered in supported browsers (Microsoft Edge, Firefox version 67) on Windows 10 version 1809 or higher. |
Error message: Your company policy requires that you use a different method to sign in. | Ensure security keys are enabled in the tenant. |
User unable to manage my security key on Windows 10 version 1809 | Version 1809 requires that you use the security key management software provided by the FIDO2 key vendor. Contact the vendor for support. |
Having an issue? We can help!
Please sign in to use this experience.
Sign in