Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Passwords are a fundamental part of digital security, but they're often inconvenient and vulnerable to cyberattacks. With Windows 11, users can enjoy passwordless protection, which offers a more secure and user-friendly alternative. After a secure authorization process, multiple layers of hardware and software security safeguard credentials, providing users with seamless, passwordless access to their apps and cloud services.
Windows Hello
Too often, passwords are weak, stolen, or forgotten. Organizations are moving toward passwordless sign-in to reduce the risk of breaches, lower the cost of managing passwords, and improve productivity and satisfaction for their users and customers. Microsoft is committed to helping organizations move toward a secure, passwordless future with Windows Hello, a cornerstone of Windows security and identity protection.
Windows Hello can enable passwordless sign-in by using biometric or PIN verification and provides built-in support for the FIDO2 passwordless industry standard. As a result, people no longer need to carry external hardware like a security key for authentication.
The secure, convenient sign-in experience can augment or replace passwords with a stronger authentication model based on a PIN or biometric data such as facial or fingerprint recognition secured by the Trusted Platform Module (TPM). Step-by-step guidance makes setup easy.
Using asymmetric keys provisioned in the TPM, Windows Hello protects authentication by binding a user's credentials to their device. Windows Hello validates the user based on either a PIN or biometrics match and only then allows the use of cryptographic keys bound to that user in the TPM.
PIN and biometric data stay on the device and can't be stored or accessed externally. Since the data can't be accessed by anyone without physical access to the device, credentials are protected against replay attacks, phishing, and spoofing as well as password reuse and leaks.
Windows Hello can authenticate users to a Microsoft account (MSA), identity provider services, or the relying parties that also implement the FIDO2 or WebAuthn standards.
Learn more
Windows Hello PIN
The Windows Hello PIN, which someone with physical access to the device can enter, can be used for strong multifactor authentication. The TPM protects the PIN and, like biometric data, it never leaves the device. When a user enters their PIN, an authentication key is unlocked and used to sign a request sent to the authenticating server.
The TPM protects against threats including PIN brute-force attacks on lost or stolen devices. After too many incorrect guesses, the device locks. IT admins can set security policies for PINs, such as complexity, length, and expiration requirements.
If your device doesn't have built-in biometrics, Windows Hello uses Virtualization-based Security (VBS) by default to isolate credentials. This added layer of protection helps guard against admin-level attacks. Even when you sign in with a PIN, your credentials are stored in a secure container, ensuring protection on devices with or without built-in biometric sensors.
Windows Hello biometric
Windows Hello biometric sign-in enhances both security and productivity with a quick and convenient sign-in experience. You don't need to enter your PIN; just use your biometric data for an easy and delightful sign-in.
Windows devices that support biometric hardware, such as fingerprint or facial recognition cameras, integrate directly with Windows Hello, enabling access to Windows client resources and services. Biometric readers for both face and fingerprint must comply with Windows Hello biometric requirements. Windows Hello facial recognition is designed to authenticate only from trusted cameras used at the time of enrollment.
If you attach a peripheral camera to the device after enrollment, you can use it for facial authentication once you validate it by signing in with the internal camera. For added security, you can disable external cameras for use with Windows Hello facial recognition.
Learn more
Windows presence sensing
Windows presence sensing[9] provides another layer of data security protection for hybrid workers. Windows 11 devices can intelligently adapt to a user's presence to help them stay secure and productive, whether they're working at home, the office, or a public environment.
Windows presence sensing combines presence detection sensors with Windows Hello facial recognition to sign the user in hands-free and automatically locks the device when the user leaves. With adaptive dimming, the PC dims the screen when the user looks away on compatible devices with presence sensors. It's also easier than ever to configure presence sensors on devices, with easy enablement in the out-of-the-box experience and new links in Settings to help find presence sensing features. Device manufacturers can customize and build extensions for the presence sensor.
Privacy is top of mind and more important than ever. Customers want to have greater transparency and control over the use of their information. The new app privacy settings enable users to allow or block access to their presence sensor information. Users can decide on these settings during the initial Windows 11 setup.
Users can also take advantage of more granular settings to easily enable and disable differentiated presence sensing features like wake on approach, lock on leave, and adaptive dimming. We're also supporting developers with new APIs for presence sensing for third-party applications. Third-party applications can now access user presence information on devices with presence sensors.
Learn more
Windows Hello for Business
Windows Hello for Business extends Windows Hello to work with an organization's Active Directory and Microsoft Entra ID accounts. It provides single sign-on access to work or school resources such as OneDrive, work email, and other business apps. Windows Hello for Business also gives IT admins the ability to manage PIN and other sign-in requirements for devices connecting to work or school resources.
After Windows Hello for Business is provisioned, users can use a PIN, face, or fingerprint to unlock credentials and sign in to their Windows device.
Provisioning methods include:
- Passkeys (preview), which provide a seamless way for users to authenticate to Microsoft Entra ID without entering a username or password
- Temporary Access Pass (TAP), a time-limited passcode with strong authentication requirements issued through Microsoft Entra ID
- Existing multifactor authentication with Microsoft Entra ID, including the Microsoft Authenticator app
Windows Hello for Business enhances security by replacing traditional usernames and passwords with a combination of a security key or certificate and a PIN or biometric data. This setup securely maps the credentials to a user account.
There are various deployment models available for Windows Hello for Business, providing flexibility to meet the diverse needs of different organizations. Among these models, the Hybrid cloud Kerberos trust model is recommended and considered the simplest for organizations operating in hybrid environments.
Learn more
PIN reset
The Microsoft PIN Reset Service lets users reset their forgotten Windows Hello PINs without needing to re-enroll. After registering the service in the Microsoft Entra ID tenant, you must enable the capability on the Windows devices by using group policy or a device management solution like Microsoft Intune[3].
Users can start a PIN reset from the Windows lock screen or from the sign-in options in Settings. The process requires authenticating and completing multifactor authentication to reset the PIN.
Learn more
Multi-factor unlock
For organizations that need an extra layer of sign-in security, multi-factor unlock enables IT admins to configure Windows to require a combination of two unique trusted signals to sign in. Trusted signal examples include a PIN or biometric data (face or fingerprint) combined with either a PIN, Bluetooth, IP configuration, or Wi-Fi.
Multi-factor unlock is useful for organizations who need to prevent information workers from sharing credentials or need to comply with regulatory requirements for a two-factor authentication policy.
Learn more
Windows passwordless experience
Windows Hello for Business now supports a fully passwordless experience.
IT admins can configure a policy on Microsoft Entra ID joined machines so users no longer see the option to enter a password when accessing company resources. Once you configure the policy, the Windows user experience removes passwords for both device unlock and in-session authentication scenarios. However, the identity directory still retains passwords. Users are expected to navigate through their core authentication scenarios by using strong, phish-resistant, possession-based credentials like Windows Hello for Business and FIDO2 security keys. If necessary, users can use passwordless recovery mechanisms such as Microsoft PIN reset service or web sign-in.
Users authenticate directly with Microsoft Entra ID, which helps speed access to on-premises applications and other resources.
Learn more
Enhanced Sign-in Security (ESS)
Windows Hello supports Enhanced Sign-in Security, which uses specialized hardware and software components to raise the security bar even higher for biometric sign-in.
Enhanced Sign-in Security biometrics uses Virtualization-based security (VBS) and the TPM to isolate user authentication processes and data and secure the pathway by which the information is communicated.
These specialized components protect against a class of attacks that includes biometric sample injection, replay, and tampering. For example, fingerprint readers must implement Secure Device Connection Protocol, which uses key negotiation and a Microsoft-issued certificate to protect and securely store user authentication data. For facial recognition, components such as the Secure Devices (SDEV) table and process isolation with trustlets help prevent more attack classes.
Device manufacturers configure Enhanced Sign-in Security during the manufacturing process. Secured-core PCs typically support this feature. For facial recognition, Enhanced Sign-in Security is supported by specific silicon and camera combinations - to learn more about specific services, check with the device manufacturer. Fingerprint authentication is available across all processor types. Reach out to specific OEMs for support details.
Learn more
FIDO2
The FIDO Alliance, the Fast Identity Online Alliance, or FIDO, is an industry standards body, established to promote authentication technologies and standards that reduce reliance on passwords. The FIDO Alliance and World Wide Web Consortium (W3C) worked together to define the Client to Authenticator Protocol (CTAP2) and Web Authentication (WebAuthn) specifications. These specifications are the industry standard for providing strong, phishing-resistant, user-friendly, and privacy-preserving authentication across the web and apps. FIDO standards and certifications are becoming recognized as the leading standard for creating secure authentication solutions across enterprises, governments, and consumer markets. Windows 11 can also use external FIDO2 security keys for authentication alongside or in addition to Windows Hello and Windows Hello for Business, which is also a FIDO2-certified passwordless solution. As a result, Windows 11 can be used as a FIDO authenticator for many popular identity management services.
Passkeys
Windows 11 makes it much harder for hackers who exploit stolen passwords via phishing attacks by empowering users to replace passwords with passkeys. Passkeys are the cross-platform future of secure sign-in. Microsoft and other technology leaders support passkeys across their platforms and services.
A passkey is a unique, unguessable cryptographic secret that is securely stored on the device. Instead of using a username and password to sign in to a website or application, Windows 11 users can create and use a passkey with Windows Hello, a plugin passkey provider, an external FIDO2 security key, or their mobile device. Passkeys on Windows work in any browsers or apps that support them for sign in.
Passkeys created and saved with Windows Hello are protected by Windows Hello or Windows Hello for Business. Users can sign in to the site or app by using their face, fingerprint, or device PIN. Users can manage their passkeys from Settings > Accounts > Passkeys.
The new plugin model for passkey providers enables users to manage their passkeys with plugin passkey managers. This model ensures a seamless platform experience, regardless of whether passkeys are managed directly by Windows or by a third-party authenticator. When a plugin passkey provider is used, the passkeys are securely protected and managed by the plugin provider.
Microsoft Password Manager integrates with this plugin model to enable users to save and use their synced passkeys across Windows on browsers and native applications.
Learn more
- Support for passkeys in Windows
- Enable passkeys (FIDO2) for your organization
- Plugin passkey manager support
Microsoft Authenticator
The Microsoft Authenticator app runs on iOS and Android devices. It helps keep Windows 11 users secure and productive. You can use Microsoft Authenticator with Microsoft Entra passkeys as a phish-resistant method to bootstrap Windows Hello for Business.
Microsoft Authenticator also enables easy, secure sign-in for all online accounts by using multifactor authentication, passwordless phone sign-in, or phishing-resistant authentication (passkeys). The Authenticator app binds these accounts to the device and secures them with a public/private key pair in hardware-backed storage, such as the Secure Enclave in iOS and Keystore on Android. IT admins can use different tools to nudge their users to set up the Authenticator app, provide them with extra context about where the authentication is coming from, and ensure that they're actively using it.
Individual users can see their sign-in history and security settings for Microsoft personal, work, or school accounts.
By using this secure app for authentication and authorization, people stay in control of how, where, and when their credentials are used. To keep up with an ever-changing security landscape, the app is constantly updated, and new capabilities are added to stay ahead of emerging threat vectors.
Learn more
Web sign-in
With web sign-in, users can sign in without a password by using the Microsoft Authenticator app or a Temporary Access Pass (TAP). Web sign-in also enables federated sign-in with a SAML-P identity provider.
Learn more
Federated sign-in
Windows 11 supports federated sign-in with external education identity management services. For students who have difficulty typing or remembering complex passwords, this capability enables secure sign-in through methods like QR codes or pictures.
Learn more
Smart cards
Organizations can also opt for smart cards, an authentication method that existed before biometric authentication. These tamper-resistant, portable storage devices enhance Windows security by authenticating users, signing code, securing e-mails, and signing in with Windows domain accounts.
Smart cards provide:
- Ease of use in scenarios such as healthcare, where users need to sign in and out quickly without using their hands or when sharing a workstation
- Isolation of security-critical computations that involve authentication, digital signatures, and key exchange from other parts of the computer. These computations are performed on the smart card
- Portability of credentials and other private information between computers at work, home, or on the road
Smart cards can only be used to sign in to domain accounts or Microsoft Entra ID accounts.
When a password is used to sign in to a domain account, Windows uses the Kerberos Version 5 (V5) protocol for authentication. If you use a smart card, the operating system uses Kerberos V5 authentication with X.509 V3 certificates. On Microsoft Entra ID joined devices, a smart card can be used with Microsoft Entra ID certificate-based authentication. Smart cards can't be used with local accounts.
Windows Hello for Business and FIDO2 security keys are modern, two-factor authentication methods for Windows. Customers using virtual smart cards are encouraged to move to Windows Hello for Business or FIDO2. For new Windows installations, we recommend Windows Hello for Business or FIDO2 security keys.
Learn more
Enhanced phishing protection in Microsoft Defender SmartScreen
As malware protection and other safeguards evolve, cybercriminals look for new ways to circumvent security measures. Phishing is a leading threat, with apps and websites designed to steal credentials by tricking people into voluntarily entering passwords. As a result, many organizations are transitioning to the ease and security of passwordless sign-in with Windows Hello or Windows Hello for Business.
We know that people are in different parts of their passwordless journey. To help on that journey for people still using passwords, Windows 11 offers powerful credential protection. Microsoft Defender SmartScreen now includes enhanced phishing protection to automatically detect when a user's Microsoft password is entered into any app or website. Windows then identifies if the app or site is securely authenticating to Microsoft and warns if the credentials are at risk. Because the user is alerted at the moment of potential credential theft, they can take preemptive action before the password is used against them or their organization.
Learn more