Passwordless Authentication in the Enterprise: Entra ID + FIDO2 Implementation Guide

Passwords are the single largest attack surface in enterprise identity. Credential phishing, brute force attacks, credential stuffing, and password spray campaigns account for over 80% of identity-related breaches. Passwordless authentication eliminates the password as an attack vector entirely.

This guide covers the three Microsoft-supported passwordless methods, provides a phased rollout strategy, and includes the Conditional Access policy configurations to enforce them across your enterprise.

The Three Passwordless Methods

Microsoft Entra ID supports three passwordless authentication methods. Each has different hardware requirements, user experiences, and deployment characteristics.

FIDO2 Security Keys

FIDO2 security keys are physical hardware tokens that store cryptographic credentials. They connect via USB, NFC, or Bluetooth.

Best for: Shared workstation environments, highly privileged accounts, users who move between devices frequently, regulated environments requiring hardware-bound credentials.

Supported keys: YubiKey 5 series, Feitian BioPass, AuthenTrend, HID Crescendo, and any FIDO2-certified key on the FIDO Alliance certified products list.

How it works:

1. User navigates to the sign-in page and enters their username
2. Entra ID prompts for FIDO2 key
3. User inserts the key (USB) or taps it (NFC) and provides the user verification gesture (PIN or biometric on the key)
4. The key signs a challenge with the private key bound to the Entra ID origin
5. Entra ID verifies the signature with the registered public key
6. Authentication completes — no password involved at any point

Security properties:

• Phishing-resistant: The credential is origin-bound and will not authenticate to a spoofed domain
• Replay-proof: Each authentication uses a unique challenge
• Hardware-bound: Private keys cannot be extracted from the security key
• No shared secrets: The server only stores the public key

Windows Hello for Business

Windows Hello for Business uses biometrics (face, fingerprint) or a device-specific PIN to authenticate. The credential is bound to the specific device's TPM chip.

Best for: Users who primarily work from a single device, corporate-managed laptops and desktops, organisations already managing devices through Intune.

How it works:

1. During enrollment, a key pair is generated in the device's TPM
2. The public key is registered with Entra ID
3. At sign-in, the user provides a biometric or PIN
4. The TPM releases the private key to sign the authentication challenge
5. Entra ID verifies the signature

Security properties:

• Phishing-resistant: same origin-binding as FIDO2
• Device-bound: credentials cannot be used from another device
• Biometric data never leaves the device — it is processed locally by the TPM

Microsoft Authenticator Passkeys

The Microsoft Authenticator app can store device-bound passkeys that enable passwordless sign-in from mobile devices.

Best for: Mobile-first users, BYOD scenarios where hardware keys are impractical, transitional deployments where users are moving from push notifications to passkeys.

How it works:

1. User registers the Authenticator app as a passkey provider
2. At sign-in, a notification is sent to the registered device
3. User unlocks the app with biometrics and confirms the sign-in
4. The app signs the challenge with the stored passkey
5. Entra ID verifies and completes authentication

Security properties:

• Phishing-resistant when configured as a passkey (not the older push-notification method)
• Device-bound to the specific phone
• Requires biometric unlock — stolen phone alone is insufficient

FIDO2 Authentication Flow

Phased Rollout Strategy

Do not attempt a big-bang deployment. Passwordless requires changes to user behaviour, help desk processes, and Conditional Access policies. A phased approach reduces risk.

Phase 0: Foundation (Weeks 1-2)

Prerequisites:

• Entra ID P1 or P2 licensing (P2 required for PIM integration)
• Intune enrollment for managed devices (for Windows Hello for Business)
• FIDO2 security keys procured (budget for 2 keys per user in pilot, 2 per user in production)
• Temporary Access Pass policy configured in Entra ID

Enable authentication methods:

In Entra ID > Authentication Methods, enable the three passwordless methods:

• FIDO2 Security Key: Enable for a target group (e.g., sg-passwordless-pilot)
• Windows Hello for Business: Enable via Intune device configuration profile
• Microsoft Authenticator: Enable passkey mode for the target group

Configure Temporary Access Pass:

This is critical for key recovery. Enable TAP in Authentication Methods with these settings:

• Minimum lifetime: 10 minutes
• Maximum lifetime: 8 hours
• Default lifetime: 1 hour
• One-time use: Required for standard users, allow multi-use for enrollment sessions

Phase 1: IT and Security Teams (Weeks 3-6)

Start with your own team. They understand the technology, can troubleshoot issues, and will provide honest feedback.

Enrollment process:

1. User navigates to https://mysecurityinfo.microsoft.com
2. Click "Add sign-in method" and select "Security key"
3. Choose USB or NFC
4. Insert the key, create a PIN (if first use), and touch the key to complete enrollment
5. Repeat with a second backup key
6. Optionally enroll Windows Hello for Business on their primary device

Conditional Access policy for pilot — require passwordless:

{
  "displayName": "CA-Pilot-RequirePasswordless",
  "state": "enabled",
  "conditions": {
    "users": {
      "includeGroups": ["sg-passwordless-pilot"]
    },
    "applications": {
      "includeApplications": ["All"]
    },
    "clientAppTypes": ["browser", "mobileAppsAndDesktopClients"]
  },
  "grantControls": {
    "operator": "OR",
    "builtInControls": [],
    "authenticationStrength": {
      "id": "00000000-0000-0000-0000-000000000004",
      "displayName": "Phishing-resistant MFA"
    }
  }
}

The authentication strength ID 00000000-0000-0000-0000-000000000004 is the built-in "Phishing-resistant MFA" policy which accepts FIDO2 keys, Windows Hello for Business, and certificate-based authentication.

Success criteria for Phase 1:

• 100% of pilot users successfully enrolled with 2 FIDO2 keys
• Users can sign in across all required applications
• Help desk has processed at least 3 key-loss recovery scenarios
• Average enrollment time documented
• Edge cases and incompatible applications identified

Phase 2: Privileged Users (Weeks 7-10)

Expand to all Global Administrators, Security Administrators, and users with standing or eligible privileged roles.

Additional Conditional Access policy — require phishing-resistant MFA for admin roles:

{
  "displayName": "CA-Admin-PhishingResistantMFA",
  "state": "enabled",
  "conditions": {
    "users": {
      "includeRoles": [
        "62e90394-69f5-4237-9190-012177145e10",
        "194ae4cb-b126-40b2-bd5b-6091b380977d",
        "f28a1f50-f6e7-4571-818b-6a12f2af6b6c",
        "29232cdf-9323-42fd-ade2-1d097af3e4de",
        "b1be1c3e-b65d-4f19-8427-f6fa0d97feb9"
      ]
    },
    "applications": {
      "includeApplications": ["All"]
    }
  },
  "grantControls": {
    "operator": "OR",
    "builtInControls": [],
    "authenticationStrength": {
      "id": "00000000-0000-0000-0000-000000000004"
    }
  }
}

The role IDs above correspond to: Global Administrator, Security Administrator, Privileged Role Administrator, Exchange Administrator, and SharePoint Administrator.

Phase 3: General Population (Weeks 11-20)

Roll out department by department. Use the combined registration campaign in Entra ID to prompt users to register passwordless methods at their next sign-in.

Enrollment support:

• Schedule in-person enrollment sessions (15 minutes per user)
• Provide a self-service guide with screenshots
• Staff extra help desk coverage during the first two weeks of each department wave
• Use Temporary Access Pass for users who need same-day enrollment

Gradual enforcement:

1. Week 1-2: Enable passwordless methods for the department group (users can choose)
2. Week 3-4: Add the department group to a "Prefer passwordless" Conditional Access policy (prompts passwordless but allows fallback)
3. Week 5+: Move the department group to "Require phishing-resistant MFA" policy (enforced)

Rollout Timeline Overview

Phase 4: Enforce and Clean Up (Weeks 21-24)

• Move all users to the "Require phishing-resistant MFA" Conditional Access policy
• Disable legacy authentication methods (SMS, voice call) for users who have enrolled passwordless
• Review and close any temporary exceptions
• Archive password-based Conditional Access policies

Fallback Scenarios

User loses both FIDO2 keys

1. User contacts help desk
2. Help desk verifies identity through out-of-band process (manager confirmation, in-person verification, or pre-registered recovery questions)
3. Help desk issues a Temporary Access Pass
4. User logs in with TAP and enrolls new FIDO2 keys at https://mysecurityinfo.microsoft.com
5. Old keys are revoked

Application does not support passwordless

Some legacy applications require password input. Handle these with:

• Entra ID Application Proxy with pre-authentication — the user authenticates passwordless to Entra ID, and Application Proxy handles the legacy authentication
• Azure AD Domain Services for applications requiring Kerberos or NTLM
• Password writeback for hybrid scenarios where on-premises AD passwords are still needed temporarily
• Create an exception Conditional Access policy that allows password + MFA for specific legacy applications only

Shared workstation without biometric hardware

FIDO2 security keys are ideal here. Users tap their key and enter the key PIN. No biometric hardware required on the workstation. For NFC-enabled keys, users simply tap against an NFC reader — enrollment and authentication take seconds.

Help Desk Impact

Expect these patterns during rollout:

• First two weeks: 15-20% of enrolled users will contact help desk with questions about the new sign-in experience
• Key loss rate: approximately 2-5% per year (industry average for hardware tokens)
• PIN reset requests: 3-5% per quarter (for FIDO2 key PINs)
• Common confusion: Users trying to use passwordless on unregistered devices, users inserting USB keys before the browser prompt

Train help desk on:

1. How to issue and revoke Temporary Access Passes
2. How to guide users through self-service key enrollment
3. How to identify and escalate potential account compromise (versus legitimate access issues)
4. How to check a user's registered authentication methods in Entra ID

Measuring Success

Track these metrics monthly:

• Passwordless sign-in percentage: Target 90%+ within 6 months of enforcement
• Password spray attack success rate: Should drop to 0% for passwordless users
• Help desk ticket volume for authentication issues: Should decrease after initial rollout spike
• Mean time to resolve authentication issues: Should decrease as processes mature
• User satisfaction scores: Survey users at 1, 3, and 6 months post-enrollment

Conclusion

Passwordless authentication is the single most impactful security improvement most enterprises can make. It eliminates the largest attack surface (passwords), improves user experience (no passwords to remember or rotate), and satisfies the phishing-resistant MFA requirements in DORA, NIS2, and most cyber insurance questionnaires.

The implementation requires planning, change management, and patience. But the security outcome is transformative.

If you need help designing and executing a passwordless rollout for your organisation, contact us at mbrahim@conceptualise.de. We have guided enterprises through this transition and know where the pitfalls hide.