Drive passwordless authentication method usage
Implementation Effort: Medium – IT teams need to enable passwordless methods in Microsoft Entra ID, configure Conditional Access to require their use, monitor registration and sign-in activity, and take action to drive adoption across the organization.
User Impact: Medium – Users must register a passwordless method, like Windows Hello for Business, Microsoft Authenticator or a FIDO2 security key, and learn how to use it for sign-in. Most users will already be familiar with similar tools from MFA.
Overview
Encouraging users to register and use passwordless sign-in methods like Microsoft Authenticator or FIDO2 security keys improves both security and the login experience. These methods are resistant to phishing because they tie the sign-in to a specific device and require something the user has, like a fingerprint or PIN. This supports the Zero Trust principle of "Verify explicitly" by checking multiple strong signals at sign-in, and the principle of "Assume breach" by making it harder for threat actors to succeed even if they have a username.
Driving usage goes beyond just turning on the feature. IT teams must track how many users have registered passwordless methods, report progress to leadership, and set Conditional Access policies that require these methods—especially for sensitive apps or roles. Without this effort, users may fall back to using passwords, which remain a top target for attackers.
Reference
- Plan a passwordless authentication deployment in Microsoft Entra ID
- Enable passwordless sign-in with Microsoft Authenticator
- Enable passkeys (FIDO2) for your organization
- Manage authentication methods - Microsoft Entra ID
- Configure a Temporary Access Pass in Microsoft Entra ID to register passwordless authentication methods