Authentication & MFAPasswordless Authentication

Passwordless Authentication

25 mins

Understanding the Concept

Passwordless authentication eliminates the password entirely, replacing it with stronger, more convenient methods. Microsoft supports three passwordless methods: Microsoft Authenticator (phone sign-in), FIDO2 security keys, and Windows Hello for Business.

Microsoft Authenticator passwordless works by sending a number-matching push notification to the user's phone. The user matches the number displayed on screen, then provides biometric or PIN verification on the device. This is both more secure and faster than password + MFA.

FIDO2 security keys (like YubiKey) provide the highest level of phishing resistance. They use public key cryptography tied to the specific site origin, making them immune to phishing attacks. Windows Hello for Business provides a similar level of security tied to the user's Windows device.

Key Points

  • Authenticator Passwordless: Number matching + biometric on the phone
  • FIDO2 Keys: Hardware tokens with phishing-resistant cryptographic auth
  • Windows Hello for Business: Device-bound biometric or PIN authentication
  • All passwordless methods are considered multi-factor (device + biometric/PIN)
  • Phishing-resistant: FIDO2 and WHfB are immune to credential phishing

Passwordless Authentication Flow

Step 1

Enter Username

User provides username only - no password needed

Step 2

Challenge Sent

Number match sent to Authenticator or FIDO2 prompt

Step 3

Local Verify

User provides biometric or PIN on device

Step 4

Crypto Exchange

Public key cryptography validates the authentication

Step 5

Signed In

User gains access without ever typing a password

Why This Matters in Real Organizations

Passwords are the weakest link in identity security - they can be guessed, phished, stolen, or sprayed. Passwordless methods are both more secure AND provide a better user experience. Microsoft's own internal deployment of passwordless eliminated over 99% of password-related helpdesk tickets.

Common Mistakes to Avoid

Enabling passwordless but not disabling password as a fallback method
Not planning the FIDO2 key distribution and recovery process
Deploying Windows Hello for Business without proper device management
Using passwordless authentication but not enabling number matching in Authenticator

Interview Tips

  • Compare the three passwordless methods and when to use each
  • Explain what makes FIDO2 phishing-resistant at a technical level
  • Discuss the user experience improvements of passwordless

Exam Tips (SC-300)

  • Know the three passwordless methods and their requirements
  • Understand which methods are phishing-resistant vs phishing-capable
  • Know how to enable passwordless in the authentication methods policy

Course Complete!

You've finished all lessons

Previous|Next|HHome