The Three Passwordless Options in Microsoft 365

How Passwordless Authentication Works: The Cryptographic Basis

All three methods use asymmetric cryptography (public/private key pairs) rather than shared secrets. When a user registers a device or security key, a private key is generated and stored in a hardware security module — the TPM chip on a Windows device, the secure enclave of a smartphone, or the hardware of a FIDO2 key. The private key never leaves that hardware. When the user authenticates, they prove possession of the private key by signing a challenge from Entra ID — without transmitting the key itself. There is no password to steal, no hash to crack, no credential to phish.

This is why passwordless is categorically more secure than traditional MFA. TOTP codes (the six-digit codes from authenticator apps) can be phished in real time — an attacker-in-the-middle captures the code and replays it within its 30-second validity window. Passkeys and FIDO2 cryptographic authentication cannot be replayed because the signed challenge is unique to the specific authentication session and domain — a sign-in to a phishing site spoofing Microsoft does not produce a valid signature for the real Microsoft endpoint.

Step-by-Step: Enabling Passwordless with Microsoft Authenticator

Microsoft Authenticator passwordless sign-in (phone sign-in) is the lowest-friction starting point for most Berlin SMBs. Rollout steps:

1. Enable the passwordless phone sign-in method: In Entra ID Admin Center, navigate to Security > Authentication methods > Policies. Select “Microsoft Authenticator” and enable for all users or a pilot group. Set the authentication mode to “Passwordless”.
2. Configure number matching: In the Authenticator configuration panel, ensure “Require number matching” is enabled. This prevents MFA fatigue attacks where users approve push notifications without reading them.
3. Inform users and guide enrollment: Each user opens the Microsoft Authenticator app, taps their M365 account, and enables “Phone Sign-in”. The process takes under two minutes per user. A brief written guide sent to all staff significantly reduces helpdesk calls.
4. Test sign-in flow: Users go to portal.microsoft.com, enter their email address (no password field appears for passwordless-enabled accounts), and approve the notification on their phone. The experience is faster than typing a password.
5. Create a Conditional Access policy blocking legacy auth: Legacy authentication clients do not support passwordless. Block them in Conditional Access to prevent bypass via ActiveSync, IMAP, or old Office clients.

Windows Hello for Business: Device-Bound Authentication

Windows Hello for Business extends passwordless sign-in to Windows device login itself — eliminating the Windows password entirely for managed endpoints. When users unlock their device with face recognition, fingerprint, or a device-specific PIN, they are simultaneously authenticating to Entra ID. Configuration requires Intune enrollment and a Windows Hello for Business policy deployed via Intune:

• In Intune: Endpoint Security > Account Protection > Create Policy > Windows Hello for Business
• Set “Configure Windows Hello for Business” to Enabled
• Enable “Use a Trusted Platform Module (TPM)” — this ensures the key is hardware-bound, not software-only
• Set minimum PIN length to 8 characters and enable PIN complexity requirements
• Enable biometric authentication if devices have compatible cameras or fingerprint readers

Once deployed, users experience a seamless sign-in: face/fingerprint on login, automatic SSO to M365 applications, no password prompts. The UX improvement is significant — password-related helpdesk tickets (resets, lockouts, complexity complaints) typically drop by 60–80 % within 90 days of full deployment.

FIDO2 Security Keys: When to Use Them

FIDO2 security keys are the right choice in three specific scenarios: shared workstations where multiple users log in on the same hardware (no biometric enrollment needed); users without personal smartphones or whose phones cannot run the Authenticator app; and high-privilege accounts (Global Admins, Domain Admins, Finance) where the highest-assurance authentication is warranted regardless of cost. YubiKey 5 Series (€45–€60) and Google Titan keys are the most widely deployed options certified for Entra ID.

Temporary Access Pass: Bootstrapping Passwordless

A common deployment question is: how does a new employee register their first passwordless credential if they have no existing authentication method? The answer is Temporary Access Pass (TAP) — a time-limited, use-limited passcode generated by an admin that allows initial authentication for device enrollment and credential registration only. Configure TAP in Entra ID Authentication Methods, generate one per new employee onboarding, and enforce an 8-hour expiry. This replaces the insecure practice of emailing temporary passwords.

How IT Experts Berlin Rolls Out Passwordless

Our passwordless rollout for Berlin SMBs follows a four-week timeline: week one covering tenant configuration (Authentication Methods policy, number matching, TAP setup); week two covering pilot group deployment with 10–20 early adopters and helpdesk script preparation; week three covering all-staff enrollment with written guide and optional drop-in sessions; week four covering legacy authentication block and post-deployment monitoring. Most 20–50 seat tenants complete full deployment with fewer than five helpdesk tickets. Contact us for a passwordless readiness assessment.