Browse all topics
All guidesGlossary
Microsoft Entra (Identity)

Entra ID passwordless authentication

The realistic options for going passwordless in Microsoft 365 — Authenticator, FIDO2, Windows Hello, and passkeys.

Passwords are the worst part of identity: weak, reused, phishable, expensive to support. Microsoft has been building toward passwordless for a decade and as of 2026 you can realistically run a Microsoft 365 tenant without users typing passwords at all.

Why passwordless

  • Phishing resistance — well-implemented passwordless methods cannot be phished.
  • Better UX — no remembering, no resets, no typing through a fingerprint scan.
  • Lower support cost — password reset tickets disappear.
  • Compliance — many frameworks now require phishing-resistant MFA for privileged users.

The realistic methods

Microsoft Authenticator (passwordless mode)

The Microsoft Authenticator app on iOS/Android supports passwordless sign-in: the user types their username, Authenticator pops a match-the-number prompt with location and app context, biometrics confirm, sign-in completes. This is the easiest passwordless option to roll out and is suitable for most users.

Windows Hello for Business

For Windows devices, Windows Hello for Business binds a user's identity to that device, unlocked by biometrics or a PIN. The device's secure hardware (TPM) signs the authentication request. Strong, phishing-resistant, and zero-friction once enrolled.

FIDO2 security keys

Hardware FIDO2 keys (YubiKey, Feitian, Token2, Windows Hello-compatible smartcards). The user inserts or taps a key and touches it to confirm. Best-in-class phishing resistance, ideal for admins, executives, and high-risk users. They work cross-device.

Passkeys

Passkeys are FIDO2 credentials stored in the OS/browser keychain (iOS Keychain, Google Password Manager, 1Password, Microsoft Authenticator). They sync across a user's devices and provide passwordless sign-in. Microsoft Authenticator supports passkeys for Entra ID; native OS passkey support for Entra ID continues to expand.

Certificate-based authentication (CBA)

For organisations with PKI in place — common in government, defence, and regulated industries — Entra ID supports certificate-based authentication directly. Smart cards and X.509 certificates authenticate without a password.

Rollout strategy

A practical sequence:

  1. MFA on for everyone — table stakes.
  2. Microsoft Authenticator passwordless rolled out tenant-wide.
  3. Windows Hello for Business deployed via Intune to managed Windows devices.
  4. FIDO2 keys issued to admins (every privileged role) and executives.
  5. Remove password as an option for users who've adopted the above — via Authentication Methods policies.
  6. Combined registration so users self-enrol multiple methods on first sign-in.

Holdouts

A few scenarios still need password fallback: shared/kiosk devices, frontline workers on shared phones, legacy apps. Plan for these as exceptions, not defaults.

Passwordless isn't a future technology in 2026 — it's a current best practice with mature tooling.