Unit 2: Administer FIDO2 and Passwordless Authentication Methods
Overview
Historically, users signed in with just a username and password. Modern security guidance is to either supplement passwords with MFA or replace them with passwordless methods.
Passwordless methods (Windows Hello for Business, FIDO2 security keys, Microsoft Authenticator app) provide the most secure sign-in events.
MFA adds extra security when passwords are still used. Users might:
- Approve a push notification.
- Enter a one-time code from a software or hardware token.
- Enter a verification code sent by SMS or phone call.
Microsoft recommends:
- Combined registration for MFA + SSPR.
- Requiring users to register multiple authentication methods so they have backup options.
Authentication Method Strength and Security
When deploying MFA and passwordless, you must choose methods that meet your requirements for security, usability, and availability.
Security ranking:
| Authentication method |
Security |
Usability |
Availability |
| Windows Hello for Business |
High |
High |
High |
| Microsoft Authenticator app |
High |
High |
High |
| FIDO2 security key |
High |
High |
High |
| OATH hardware tokens (preview) |
Medium |
Medium |
High |
| OATH software tokens |
Medium |
Medium |
High |
| SMS |
Medium |
High |
Medium |
| Voice |
Medium |
Medium |
Medium |
| Password |
Low |
High |
High |
Tip for the exam.
Microsoft recommends the Microsoft Authenticator app as the most flexible option because it supports:
- Passwordless sign-in.
- Push notifications for MFA.
- OATH codes as backup.
Primary vs Secondary Authentication
Some authentication methods can be used as primary authentication (sign-in without a password),
while others are limited to secondary authentication for MFA or SSPR.
| Authentication Method |
Primary Authentication
(Passwordless sign-in) |
Secondary Authentication
(MFA / SSPR) |
| Windows Hello for Business |
✔️ |
MFA |
| Microsoft Authenticator app |
✔️ (Preview) |
MFA, SSPR |
| FIDO2 security key |
✔️ |
MFA |
| OATH hardware token |
❌ |
MFA, SSPR |
| OATH software token |
❌ |
MFA, SSPR |
| Text message (SMS) |
✔️ (Preview) |
MFA, SSPR |
| Voice call |
❌ |
MFA, SSPR |
| Password |
✔️ |
Not applicable |
Note: Features marked as Preview may have limited availability, may require explicit
enablement, and are subject to change. For exams, understand the concept rather than relying on preview
features as the default behavior.
Note.
In Microsoft Entra ID you cannot disable passwords as a primary method. If passwords are used, you should increase security by requiring MFA.
🔍 Why Windows Hello for Business Doesn’t Support SSPR
Windows Hello for Business (WHfB) is:
- A primary authentication method that uses biometrics or PIN tied to a device and backed by a key pair.
- Device-bound: The credential lives in the TPM or secure enclave of the device.
But here's the catch:
- SSPR requires a cloud-accessible method to verify identity when the user can’t sign in.
- WHfB can’t be used in SSPR because it’s not available outside the device—you can’t use it to reset your password if you’re locked out.
Same for FIDO2 security key as its device bound also and not cloud aware.
🧠 Why Microsoft Authenticator Supports SSPR
- Authenticator app is cloud-aware and device-independent.
- During SSPR, Microsoft can send a verification prompt or code to the app.
- This allows the user to prove identity and reset password, even if they’re locked out of their device.
Additional verification methods for specific scenarios:
- App passwords.
- For legacy apps that do not support modern authentication.
- Used with per-user MFA.
- Security questions.
- Only used for SSPR.
- Email address.
- Only used for SSPR.
What is FIDO2
FIDO2 comes from the FIDO (Fast IDentity Online) Alliance. The goal is to reduce passwords and move to open standards for strong authentication.
Key points:
- FIDO2 incorporates the WebAuthn specification.
- Users register a FIDO2 security key and then select it at sign-in.
- Security keys are typically USB devices, but can also be Bluetooth or NFC.
- Authentication is handled by the hardware device.
-
FIDO2 security keys can be used to sign in to:
- Microsoft Entra ID.
- Hybrid Entra joined Windows 10 or 11 devices.
- Supported browsers.
- Cloud and on-premises resources (SSO).
FIDO2 security keys are ideal for:
- Highly security-sensitive enterprises.
- Scenarios where users cannot or do not want to use a phone as a second factor.
Remember these exam phrases:
- FIDO2 security keys are an unphishable, specification-based passwordless authentication method.
- FIDO allows sign-in without username and password, using external or platform keys.
The second bullet point above means:
- FIDO2 supports two types of authenticators:
- External keys (e.g., USB/NFC/BLE security keys like YubiKey)
- Platform keys (e.g., Windows Hello for Business, Android biometrics)
So even if you're not using a physical FIDO2 key, you're still using the FIDO2 protocol if you're signing in with a platform-bound credential that supports WebAuthn
🔐 Platform Keys (Device-Bound)
- Stored in the device’s secure enclave or TPM.
- Examples:
- Windows Hello for Business (TPM-backed key)
- Android biometric credential (e.g., fingerprint)
- macOS Touch ID (WebAuthn support)
- Non-portable: You can’t take the credential to another device.
- Managed by the OS: The platform handles key generation, storage, and attestation.
- Ideal for single-user, corporate-issued devices.
Think of it as: “The device is the key.”
🔐 External Keys (Roaming)
- Stored on a physical FIDO2 security key:
- USB (YubiKey, Feitian)
- NFC (tap on phone)
- BLE (Bluetooth)
- Portable: You can use the same key across multiple devices.
- User-managed: You register the key in Entra ID, and it carries its own private key.
- Ideal for roaming users, shared workstations, or BYOD setups.
Think of it as: “You carry the key.”
Enable FIDO2 Security Key Method
Steps in Microsoft Entra admin center:
- Sign in to the Microsoft Entra admin center.
- Go to Protection > Authentication methods > Authentication method policy.
- Under FIDO2 Security Key, configure:
- Enable: Yes or No.
- Target: All users or Select users.
- Save the configuration.
Manage User Registration and FIDO2 Keys
End user steps:
- Browse to https://myprofile.microsoft.com.
- Sign in and select Security info.
- If the user has at least one MFA method, they can immediately add a FIDO2 key.
- If not, they must first register another MFA method.
- Select Add method, choose Security key.
- Choose USB device or NFC device.
- Insert or tap the key, select Next.
- Create or enter a PIN for the security key and perform the required gesture (biometric or touch).
- Give the key a meaningful name for identification.
- Select Done to finish.
Sign In with FIDO2 (Passwordless)
- User has already provisioned their FIDO2 security key.
- In a supported browser on Windows 10 (1903 or later) or Windows 11, they choose to sign in using the security key.
- They use the key and PIN/gesture instead of a password.
Prerequisites for Cloud-Only Deployment (FIDO2 / Passwordless)
- Windows 10 version 1511 or later, or Windows 11.
- Azure account and Microsoft Entra ID.
- Multifactor authentication enabled.
- Modern management (optional) using Intune or supported third-party MDM.
- Microsoft Entra ID Premium subscription (optional but needed for automatic MDM enrollment during Entra join).