Passwordless Windows login:
FIDO2 and fingerprint at work

In short: you can sign in to Windows without a password, with a FIDO2 security key and a fingerprint, even on Microsoft Entra hybrid joined PCs managed by Intune — while keeping single sign-on to on-premises resources. We configured it for a client with a hybrid infrastructure: below are the architecture, the real user experience (fingerprint only) and the limits to know before you start. No theory: how it is actually done.

What signing in with FIDO2 means

FIDO2 is the open standard that lets you authenticate with a physical security key instead of a password. The key holds a cryptographic credential bound to the service it was registered for: that is why it is phishing-resistant. There is no code to type or intercept — as happens with passwords and OTPs via SMS or app — and on a fake page the key simply does not respond.

Signing in takes two things together: possession of the key and a local factor — a fingerprint or a PIN. A lost key, on its own, is not enough. It is the principle of modern digital identity management: something you have, unlocked by something you are.

The three layers that make the login possible

Getting FIDO2 login to work on hybrid PCs (Entra hybrid joined) — that is, registered both in local Active Directory and in Microsoft Entra — requires three layers that must talk to each other:

• 1Identity (Microsoft Entra)— the FIDO2 method must be enabled in the authentication methods policy and assigned to the users who will register the key.
• 2Device (Intune)— a Settings Catalog policy turns on the FIDO2 credential provider on the PC (the Use Security Key For Sign-in setting), so the key appears on the Windows sign-in screen.
• 3Active Directory (Entra Kerberos)— the essential piece for hybrid: Microsoft Entra issues a partial Kerberos ticket that a domain controller converts into a full ticket, giving SSO to internal resources. It is configured on the synchronisation server with the Azure AD Hybrid Authentication Management module, and its key must be rotated periodically.

The user experience: fingerprint only

In the real case we used biometric FIDO2 keys, with a built-in fingerprint reader. Daily sign-in works like this: insert the key, touch the sensor. The key PIN is set only as a management and recovery fallback, and is not required in normal use. One operational detail that makes a difference: it is best to set the PIN and register the fingerprint on the key before registering the passkey in Entra, so verification is biometric from the very first sign-in.

And privacy? Biometrics never leave the device: the fingerprint is processed and stored locally, on the key or on the computer, and is never transmitted to Entra, to Active Directory or to other servers. What travels is only cryptographic proof that the local verification succeeded. It is an approach consistent with the GDPR, because the biometric data is not centralised.

To avoid being locked out if the key is unavailable, you register a backup passkey in the Microsoft Authenticator app on the smartphone: also a phishing-resistant FIDO2 credential, unlocked by the phone’s face or fingerprint — not a push notification or an OTP. The result: each user has two passwordless methods, the physical key for daily use and the passkey on the phone as a backup.

How you start from scratch, without a password

There is a classic chicken-and-egg problem: to register the first key without using a password you need a secure entry point. The tool is the Temporary Access Pass (TAP): a time-limited code the administrator issues for the user. With the TAP the user signs in to the security portal, registers the FIDO2 key and then the backup passkey. A multi-use TAP with a generous validity is preferable, to avoid clashing with the tight limit of the single-use one.

To support adoption, a registration campaign guides the users of the target group to add the key at their next sign-in. On the PC side you just sync Intune and reboot to pick up the rule; on a machine that is already hybrid you check with dsregcmd /status that it is both Entra joined and domain joined. Rollout to the other users happens through a dedicated group, without redoing the configuration each time.

What does NOT work: the real limits

The part nobody tells you, and that matters at design time. FIDO2 key sign-in covers the interactive login to the Windows PC, but does not automatically extend to everything:

• RDP, VDI and Citrix— not natively supported, except via WebAuthn redirection where available. Same for direct server login and «Run as».
• AD-only domain joined devices— without hybrid join to Entra, the scenario does not apply.
• Emergency (break-glass) accounts— must be kept outside the passwordless perimeter, as a safety net.
• Prerequisites— Windows 10 2004 or later, Windows Server 2016+ domain controllers updated with AES enabled, at least one writable domain controller per site.

Why it is worth it, and how we help

Removing the password from access to company computers eliminates the most exploited attack vector — stolen credentials, phishing, password reuse — and improves the experience too: you sign in with a finger. Phishing-resistant authentication is among the most requested measures, including in a NIS2 context, and it fits naturally into a modern workplace managed with Microsoft 365 and Intune.

AtWorkStudio has been operating from Piacenza since 2000. We design and manage hybrid Entra/Intune environments and end-to-end passwordless rollouts. We are certified ISO/IEC 27001, 27017, 27018 and ISO 9001, ACN (Italian National Cybersecurity Agency) qualified for cloud services, members of Clusit (Italian Association for Information Security) and affiliated to Confindustria Piacenza in the RICT cluster.